SPECIAL  ISSUE  An  Executive’s  Guide  to  the  World  of  the  CSO 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


When  it  comes  to  the  ins  and  outs  of 
corporate  and  information  security,  our 
annual  primer  will  help  business  executives 
measure  up  So,  pick  out  a  worthy  colleague 
or  two  and  pass  this  issue  along.  It’s  always 
good  to  share  the  experience. . . 


Companies  everywhere  are  facing  a  new  kind  of  threat. 
Fortunately,  there’s  a  new  level  of  protection. 


Introducing  Application  Intelligence  only  from  Check  Point. 


§  The  Internet  is  evolving.  So  is  the  technology  that  keeps  it 
^aaij.^ii.ll.„l.l,^nias^  secure.  Now  Check  Point  introduces  Application  Intelligence— 
a  major  breakthrough  in  the  evolution  of  Internet  security  and  a 
definitive  response  to  the  growing  problem  of  application-level  attacks.  With 
Application  Intelligence  integrated  into  Check  Point  FireWall-1  and  Smart 
Defense,  your  business-critical  systems  are  safe  from  both  network  and 
application-level  attacks.  By  providing  the  world’s  only  truly  integrated  security 
infrastructure,  Check  Point  centralizes  and  strengthens  your  defense  against 
attack  at  every  level,  every  location.  Want  to  take  Internet  security  Check  Poinf 
to  the  next  level?  Get  “Internet  Security  Redefined:  A  new  level  of 
integration,  a  new  level  of  protection,”  the  revealing  new  white 
paper  that  tells  you  everything  you  need  to  know  about  the  latest 
cyber  threats,  at  www.checkpoint.com/appint/cso 


©  2003  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


We  Secure  the  Internet. 


Advert  is  ine  Sunnlement 


The  Evolution  of  the  Firewall 

3f  fronen  Fink,  Vice  President,  Solutions  &  Strategy,  Check  Point  Software 


Over  the  past  several  years, 
enterprise  firewalls  have  be¬ 
come  staples  of  network 
security  architectures.  De¬ 
signed  primarily  to  provide  access  con¬ 
trol  to  network  resources,  firewalls  have 
been  successfully  deployed  in  the  large 
majority  of  networks.  A  major  reason  for 
firewall  success  is  that  when  used  to 
enforce  a  properly  defined  security  poli¬ 
cy,  firewalls  commonly  defeat  more  than 
90%  of  network  attacks.  However,  while 
most  firewalls  provide  effective  access 
control,  many  are  not  designed  to  detect 
and  thwart  attacks  at  the  application 
level. 

Evolving  Threat  Environment 

Recognizing  this  reality,  hackers  have 
devised  sophisticated  attacks  that  are 
designed  to  circumvent  the  traditional 
access  control  policies  enforced  by 
perimeter  firewalls.  Today’s  knowledge¬ 
able  hackers  no  longer  simply  scan  for 
open  ports  on  firewalls  in  hopes  of  find¬ 
ing  an  easy  way  into  networks. 

Some  of  the  most  serious  threats  in 
today’s  Internet  environment  come  from 
attacks  that  attempt  to  exploit  known 
application  vulnerabilities. 

Of  particular  interest  to  hackers  are 
services  such  as  HTTP  (TCP  port  80) 
and  HTTPS  (TCP  port  443),  which  are 
commonly  open  in  many  networks. 
Access  control  devices  cannot  easily  de¬ 
tect  malicious  exploits  aimed  at  these 
services. 

By  targeting  applications  directly, 
hackers  attempt  to  achieve  at  least  one  of 
several  nefarious  goals,  including: 

•  Denying  service  to  legitimate  users 
(DoS  attacks) 

•  Gaining  administrator  access  to 
servers  or  clients 

•  Gaining  access  to  back-end  informa¬ 
tion  databases 

•  Installing  Trojan  horse  software  that 
bypasses  security  and  enables  access 


Si 


to  applications 

•  Installing  software  on  a  server  that 
runs  in  “sniffer”  mode  and  captures 
user  IDs  and  passwords 
Since  application-driven  attacks  tend 
to  be  sophisticated  in  nature,  effective 
defenses  must  be  equally  sophisticated 
and  intelligent.  This  important  shift  in 


Discover  the  Check  Point 
Difference 


•  Complete  Network  & 
Application  Level  Security 

•  Attack  protection  with 
Application  Intelligence 

•  Access  control  based  on 
Stateful  Inspection 

•  Best-of-Class  performance, 
scalability  and  flexibility 

Check  Point' 


SOFTWARE  TECHNOLOGIES,  INC. 


We  Secure  the  Internet. 


attack  methodology  requires  that  fire¬ 
walls  provide  not  only  access  control 
and  network-level  attack  protection,  but 
also  understand  application  behavior  to 
protect  against  application  attacks  and 
hazards.  Enterprise  firewalls,  in  order  to 
address  the  increasing  threat  from 
application-driven  attacks,  must  evolve 
into  a  new  class  of  multilayer  security 
gateways.  This  multilayer  security  gate¬ 
way  should  protect  against  both  net¬ 
work  and  application  attacks,  while 
providing  robust  access  control  to 
IT  resources. 


Defending  Against  Application- 
Level  Threats 

In  order  to  provide  application-layer 
security,  a  security  solution  must  address 
the  following  four  defense  strategies. 

1)  Validate  Compliance  to  Standards. 

Firewalls  must  be  able  to  determine 
whether  communications  adhere  to  rele¬ 
vant  protocol  standards.  Violation  of 
standards  may  be  indicative  of  malicious 
traffic.  Any  traffic  not  adhering  to  strict 
protocol  or  application  standards  must 
be  closely  scrutinized  before  it  is  permit¬ 
ted  into  the  network,  otherwise  business- 
critical  applications  may  be  put  at  risk. 

Example:  While  the  official  HTTP  stan¬ 
dard  prohibits  binary  characters  in 
HTTP  headers,  the  rule  is  ambiguous 
and  not  always  enforced.  As  a  result, 
many  hackers  launch  attacks  by  includ¬ 
ing  executable  code  in  HTTP  headers. 
Therefore,  a  firewall  should  allow  the 
blocking  or  flagging  of  binary  characters 
in  HTTP  headers  and  requests. 

2)  Validate  Expected  Usage  of  Pro¬ 
tocols  (Protocol  Anomaly  Detect¬ 
ion).  Testing  for  protocol  compliance  is 
important,  but  just  as  important  is  the 
capability  to  determine  whether  data 
within  protocols  adheres  to  expected 
usage.  In  other  words,  even  if  a  commu¬ 
nication  stream  complies  with  a  protocol 
standard,  the  way  in  which  the  protocol 
is  being  used  may  be  incongruous  with 
what  is  expected. 

Example:  Directory  Traversal  attacks 
allow  a  hacker  to  access  files  and  directo¬ 
ries  that  should  be  out  of  reach,  and  can 
result  in  running  undesired  executable 
code  on  the  web  server  by  trying  to 
access  unauthorized  resources.  Most  of 
these  attacks  are  based  on  the  nota¬ 
tion  within  a  file  system.  Firewalls 
should  block  requests  in  which  the  URL 
contains  a  directory  request  that  com- 


Advertising  Suvnle  meni 


plies  with  syntax,  but  does  not  comply 
with  expected  usage.  For  example, 

\  http:  //www.  server,  com /first /sec¬ 
ond/../../..  should  be  blocked  because  it 
attempts  to  go  deeper  than  the  root 
directory. 

3)  Limit  Applications’  Ability  to  Carry 
Malicious  Data.  Even  if  application- 
layer  communications  adhere  to  proto¬ 
cols,  they  may  still  carry  data  that  can 
potentially  harm  the  system.  Therefore, 
a  security  gateway  must  provide  mecha¬ 
nisms  to  limit  or  control  an  application’s 
ability  to  introduce  potentially  danger¬ 
ous  data  or  commands  into  the  internal 
network. 

Example:  Cross  Site  Scripting  Attacks 

Scripts  provide  a  common  mechanism 
for  launching  attacks  against  an  appli¬ 
cation.  While  most  scripts  are  harm¬ 
less,  unsuspecting  users  can  easily  and 
inadvertently  execute  malicious 
scripts.  These  scripts  can  often  be  hid¬ 
den  in  innocuous  looking  links  or,  for 
instance,  disguised  as  an  email  card.  A 
common  example  of  malicious  scripts 
appears  in  Cross  Site  Scripting  attacks 
(XSS).  Cross  Site  Scripting  attacks 
exploit  the  trust  relationship  between  a 
user  and  a  website  by  employing  spe¬ 
cially  crafted  URLs.  The  intention  of 
the  attack  is  to  steal  cookies  that  con¬ 
tain  user  identities  and  credentials,  or 
to  trick  users  into  supplying  their  cre¬ 
dentials  to  the  attacker.  Typically,  a 
cross-site  scripting  attack  is  launched 
by  embedding  scripts  in  an  HTTP 
request  that  the  user  unwittingly  sends 
to  a  trusted  site.  To  protect  web 
servers,  the  security  gateway  should 
provide  the  capability  to  detect  and 


block  HTTP  requests  that  contain 
threatening  scripting  code. 

4)  Control  Application-Layer  Opera¬ 
tions  to  Prevent  Misuse.  Not  only  can 
application-layer  communications  intro¬ 
duce  malicious  data  to  a  network,  the 
application  itself  might  perform  unau¬ 
thorized  or  hazardous 
operations.  A  network 
security  solution  must 
have  the  ability  to  identi¬ 
fy  and  control  such  oper¬ 
ations  by  performing 
“access  control”  and 
“legitimate  usage”  checks. 

This  level  of  security 
requires  the  capability  to 
distinguish,  at  a  granular 
level,  application  opera¬ 
tions. 


Example:  Microsoft 
Networking  Services 

A  network  security  solu¬ 
tion  can  implement  sec¬ 
urity  policy  using  many 
parameters  from  CIFS,  the  Microsoft- 
based  Common  Internet  File  System. 
CIFS  supports,  among  other  capabili¬ 
ties,  file-  and  print-sharing  operations. 
A  security  gateway  should  have  the 
capability  to  differentiate  and  block 
file-sharing  operations  originating 
from  a  user  or  system  that  does  not 
have  appropriate  authorization.  Con¬ 
versely,  print-sharing  operations  origi¬ 
nating  from  the  same  user  may  be 
allowed  and  accepted.  Providing  a  level 
of  security  with  this  granularity 
requires  a  thorough  understanding  of 
CIFS,  as  well  as  the  ability  to  control 
application-layer  protocol  components. 


The  Evolving  Firewall 

Firewalls  have  established  them¬ 
selves  as  the  staples  of  network  secu¬ 
rity  infrastructures  based  on  their 
ability  to  block  attacks  at  the  net¬ 
work  level.  As  a  result  of  firewall  suc¬ 
cess,  hackers  have  developed  more 
sophisticated  attack  methodologies. 

The  new  breed  of 
attacks  directly  targets 
applications,  often 
attempting  to  exploit 
vulnerabilities  inherent 
in  the  applications 
themselves  or  in  the 
underlying  communi¬ 
cation  protocols.  Pro¬ 
viding  security  on  mul¬ 
tiple  levels  is  required 
to  safeguard  corporate 
networks  from  these 
threats.  The  firewall 
must  evolve  into  a  mul¬ 
tilayer  security  gate¬ 
way  that  protects 
against  both  network 
and  application-layer 
attacks,  while  providing  access  con¬ 
trol  to  IT  resources. 

About  the  Author 

As  vice  president  of  solutions  &  strat¬ 
egy  for  Check  Point  Software  Tech¬ 
nologies,  Gonen  Fink  is  responsible 
for  building  and  maintaining  relation¬ 
ships  with  Check  Point’s  industry 
partners  to  develop  and  bring  to  mar¬ 
ket  innovative,  best-of-breed  Internet 
security  solutions  for  businesses  of 
all  sizes. 

Fink  holds  a  Bachelor  of  Science 
degree  in  Physics  and  Computer 
Science  from  Tel  Aviv  University. 


Firewalls  have 
become  staples  of 
network  security 
architectures. 


For  a  FREE  educational  VPN/Firewall  web  seminar  visit  us  on  the  web  at 
http://www.checkpoint.com/vpnseminar 

For  additional  information  on  the  evolution  of  the  firewall  and  Check  Point 
Software,  please  visit  us  on  the  web  at  www.chcckpoint.com 

97  of  the  Fortune  100  companies  run  Check  Point  Software  to  secure  their 
business. 


Check  Point 

SOFTWARE  TECHNOLOGIES,  INC. 


We  Secure  the  Internet. 


S2 


6  Letter  from  the  Editor 


.  j  , 

v,  . 

,  ;  -'V 


■i  ' 


.  • 

_ _ 


10  Why  you  need  a  CSO 

Security  thoughts  from  MOL’s  COO; 
How  IT  and  physical  security-will  converge; 

A  CSO  and  CISO  go  head  to  head;  Policy  trends 
The  benefits  of  cyberinsurance;  Snooping  on 
your  employees;  Big  Brother  is  still  watching 


Security  Handbook  2004 


Cover  illustration  by 
Stephen  Webster 


18  Where  you  find  a  CSO 

How  to  recruit  a  leader;  Fraud  stats; 
Security  strategies  that  start  at  the  top;  Building 
your  company’s  immune  systems;  Where  the 
heck  do  CSOs  come  from,  anyway?;  Required 
reading;  Who  your  CSO  calls  for  help 


26  What  you  pay  a  CSO 

A  CIO’s  take  on  the  role  of  the  CSO; 
Fending  off  FUD;  How  to  stop  the  spam;  How  to 
communicate  threats  to  employees;  Safety’s 
softer  side;  Our  guide  to  who’s  who  in  the  world 
of  security;  Debunking  CSO  stereotypes 


32  Where  you  put  a  CSO 

Software  Engineering  Institute’s  COO 
speaks  out;  You  oughta  audit;  A  Homeland 
Defense  primer;  Practicing  disaster;  Incident 
response  plans;  Software  patching,  more 
or  less?;  Of  orange  alerts  and  red  tape; 

All  about  FOIA 


Tina  LaCroix, 


CiSO,  Aon 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


Security  Handbook  2004  www.csoonline.com  5 


38 


How  you  fund  a  CSO 

Genzyme’s  CFO— An  exec  who  gets  it; 
Finding  security  equilibrium;  Are  our  harbors 
safe?;  Better  budgeting;  What  employees  who 
travel  need  from  a  CSO;  Protecting  your 
company's  intellectual  property;  A  true  story  of 
employee  termination 


44 

50 

52 


How  you  measure  a  CSO 

The  CSO  ethic;  What  to  do  when 
technology  gets  out  of  control;  The  incredible 
shrinking  inventory;  Does  security  have  to  be 
ugly  to  be  safe?;  Glossary 


Index 


Debriefing 


By  Howard  Schmidt 


ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Executive  Web  Editor  Martha  Heller 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 
INFORMATION  SYSTEMS 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists  Michael 
Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 

Senior  Editors  Scott  Berinato,  Todd  Datz, 
Daintry  Duffy 

Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Copy  Chief  Tom  Wailgum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 
Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  Simone  Kaplan, 

Meg  Mitchell  Moore 

Editorial  Operations  Specialist  Julie  Hanson 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 
Freelance  Designer  Terri  Mitchell 
ONLINE  EDITORIAL 
Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 


wen,  at  least  not  airectiy,  aitnougn  we  aosoiuteiy  oeiieve 
that,  if  used  correctly,  this  CSO  Security  Handbook  has  the 
potential  to  make  your  professional  life  a  little  easier.  We  have 


designed  the  content  for  consumption  by  your  senior-level  colleagues  across 
the  enterprise  who,  because  they  are  busy  doing  their  own  jobs,  may  lack  a 
full  appreciation  of  the  complexities  of  yours.  What  we’ve  t  ried  to  assemble 
here  is  a  fairly  comprehensive  security  curriculum,  delivered  in  short  bursts 
of  lively  prose.  We  don’t  pretend  that  it’s  complete,  but  we  do  think  we’re 
offering  a  breadth  of  topics  that  wall  give  your  counterparts  in  the  business  a 
fair  idea  of  what  you  wrestle  with  day  in  and  day  out. 

Consequently,  we  are  asking  you  to  pass  this  issue  along  to  someone  you 
think  might  profit  from  knowing  more  about  what  your  job— and  the  overall 
practice  of  security  as  a  business  discipline— entails.  We  have  printed  more 
than  twice  as  many  copies  as  we  do  of  a  normal  CSO  issue  because  we  expect 
that  regular  readers  may  want  to  share  this  material  with  more  than  one 
colleague.  If  you  would  like  to  order  additional  issues,  please  call  Subscrip¬ 
tion  Services  Supervisor  (say  that  five  times  fast!)  Tina  Pescaro  at  888  455- 
4646,  ext.  4447;  or  visit  our  website:  wivw.CSOonline.com/2004handbook. 
Likewise,  if  any  of  your  peers  are  interested  in  a  regular  subscription  to  CSO, 


we’d  be  delighted  to  have  them  as  paid  subscribers 
in  the  event  they  do  not  qualify  to  get  the  magazine 
for  free. 

Assuming  your  counterparts  like  what  they  read 
in  this  issue  and  you  find  it  valuable  as  an  educational 
tool,  we  will  offer  it  again  next  year  with  revised  and 
updated  content.  To  that  end,  we  welcome  your  feed¬ 
back  and  suggestions  for  improving  future  editions 
of  our  CSO  Secu  rity  Ha  ndbook. 

Great  credit  for  the  quality  of  this  handbook  goes 
to  our  issue  coordinators,  Senior  Editor  Scott  Beri- 
nato  and  Managing  Editor  Elaine  M.  Cummings.  The 
wondrous  look  and  feel  of  the  issue  was  created  by 
Senior  Designer  Chandra  Tallman.  And  all  of  the  CSO 
staff  contributed  heroically.  They  join  me  in  hoping 
that  you  actually  do  what  we  intended:  Walk  down 
the  hall  with  this  thing  (or  take  the  elevator  up  or 
down  a  few  floors)  and  put  it  in  someone  else’s  hands! 
I  know  it’s  hard  sometimes  to  let  go.  But  we  think  it’s 
really  in  your  own  best  interest.  Share  the  experience! 
Let  others  know  what’s  on  your  plate  by  getting  this 
magazine  off  it. 

-Lew  McCreary 
mccrea  ry  @  aw.  com 


ne.com  Security  Handbook  2004 


PHOTO  BY  WEBB  CHAPPELL 


Advertising  Supplement 


Writv 

Optimized 

Enterprise 

brought  to  you  by  AVAyA 


As  the  worlds  of  voice 
and  data  continue  to 
converge,  enterprises 
are  discovering  pow¬ 
erful  new  capabilities, 
flexibility,  and  cost 
efficiencies.  These  benefits  form 
the  foundation  for  enterprise  opti¬ 


mization.  But  like  any  new  tech¬ 
nology,  convergence  introduces 
new  security  concerns,  and  the 
smart  enterprise  addresses  them 
head-on  in  both  its  planning  and 
everyday  practices. 

Robust  security  processes  provide 
device  protection  that  recognizes 
and  responds  to  attacks;  applica¬ 
tion  protection,  to  control  access 
and  to  recognize  and  respond  to 
detected  abuse;  and  assistance 
from  best-in-class  security  provid¬ 
ers  that  have  specialized  knowl¬ 


edge  and  expertise,  particularly  in 
respect  to  converged  networks. 

As  a  leading  global  provider  of 
networks,  applications  and  ser¬ 
vices,  Avaya  has  unique  and  valu¬ 
able  insights  on  security.  And  with 
a  singular  focus  on  the  needs  of 
enterprises,  Avaya  understands  the 


stakes  that  are  involved:  intellec¬ 
tual  property,  privacy  of  commu¬ 
nications,  privacy  of  data — and 
ultimately  the  existence  of  the 
enterprise. 

Pervasive,  Layered  Protection  of 
Enterprise  Infrastructure 

Enterprise  networking  infrastruc¬ 
ture  needs  to  be  protected  against 
threats  originating  from  outside 
the  enterprise  network  perimeter 
as  well  as  from  threats  originating 
inside  the  perimeter.  Protection 


must  be  considered  against  a  num¬ 
ber  of  threats  including  theft  of 
proprietary  information,  sabotage, 
fraud,  eavesdropping,  and  unau¬ 
thorized  insider  access.  A  security 
policy  and  technical  solutions 
must  be  used  together  to  protect 
the  enterprise  network. 

A  well-accepted  logical  model  for 
protecting  the  enterprise  infra¬ 
structure  comprises  four  logical 
layers:  ubiquitous  protection  for 
enterprise  resources;  control  infra¬ 
structure  for  validating  users  and 
access  to  resources;  perimeter  pro¬ 
tection  for  guarding  access  to  en¬ 
terprise  networks;  and  extended 
perimeter  protection  for  enterprise 
assets  when  they  leave  or  are  acces¬ 
sible  from  outside  of  the  enterprise 
perimeter. 

Layer  1  -  Resource 
Protection: 

Network  resources,  including 
servers,  services,  data,  and  end¬ 
points  must  be  protected  in  a  way 
that  supports  the  enterprise  secu¬ 
rity  policy.  Resources  must  sup¬ 
port  the  integrated,  enterprise¬ 
wide  approach  to  access  control, 
auditing  and  alarming  and  often 
must  be  remotely  serviceable,  con- 


“Robust  security 
.  processes  provide 
device  protection  that 
recognizes  ana  „ 
responds  to  attacks. 


Advertising  Supplement 


figurable,  and  upgradeable.  Re¬ 
sources  need  to  support  enterprise 
requirements  for  redundancy  and 
disaster  recovery  and  must  per¬ 
form  gracefully  and  predictably 
when  under  attack. 

Layer  2  -  Confrol: 

Access  to  enterprise  resources  is 
strictly  regulated  by  rules  and  poli¬ 
cies  that  apply  enterprise-wide. 
The  control  layer  represents  the 
rules,  policies,  and  mechanisms  for 
authentication, 
authorization, 
and  access  con¬ 
trol  to  resources. 

Directories  and 
management 
capabilities  for 
defining  and  en¬ 
forcing  consis¬ 
tent  security  pol¬ 
icy  support  the 
functionality  of  the  control  layer. 

Layer  3  -  Perimeter 
Protection: 

The  perimeter  of  the  enterprise 
network  is  expected  to  be  a  well- 
defined  boundary  protected  by 
firewalls,  IPSec  VPN  remote 
access,  and  intrusion  detection  sys¬ 
tems  so  that  bad  elements  cannot 
gain  unauthorized  access  to  enter¬ 
prise  resources.  Common  threats 
and  challenges  to  protecting  the 
perimeter  of  data  networks  are 
well  known.  In  a  converged  envi¬ 
ronment,  however,  the  data  net¬ 
work  alone  does  not  form  the 
perimeter.  The  perimeter  may 
consist  of  both  circuit-switched 
networks  and  data  networks  com¬ 
bining  to  create  potentially  new 
avenues  of  access.  802. 1  lx  wireless 
LANs  (WLANs),  when  deployed 
and  configured  inside  an  enter¬ 
prise  network,  can  lead  to  unau¬ 
thorized  access  through  the 
perimeter  if  they  are  not  supple¬ 


mented  with  appropriate  access 
control  mechanisms.  Proper  con¬ 
figuration  and  operation  of  the 
WLAN  is  necessary  to  prevent 
successful  attacks. 

Layer  4  -  Extended  Perimeter 
Protection: 

This  allows  remote  workers,  part¬ 
ners,  and  suppliers  access  to  spe¬ 
cific,  well-controlled  resources 
within  the  perimeter.  IPSec  VPN 
remote  access  enables  extending 


the  perimeter  in  ways  that  scale 
from  low-end  individual  remote 
workers  and  small  offices  to  large 
sites  with  high  bandwidth  needs. 
Extending  the  enterprise  perime¬ 
ter  adds  to  the  load  of  managing 
the  network  as  identities  and  con¬ 
figurations  need  to  be  managed  for 
individuals  and  equipment  that 
are  outside  of  the  enterprise 
proper.  As  a  result,  integrated  and 
seamless  capabilities  to  manage 
remote  devices  and  remote  users 
have  become  increasingly  more 
important. 

The  four  layers  present  a  tall 
challenge  to  any  IT  staff,  leading 
many  enterprises  to  seek  the  help 
of  specialized  security  consulting 
services. 

Securing  Communication 
Applications 

Communication  applications  that 
take  advantage  of  converged  net¬ 
working  infrastructure  must 
themselves  be  protected  against 


security  threats.  Applications  need 
to  provide  strict  enforcement  of 
access  control  policies,  assurances 
of  secure  data  handling,  consistent 
auditing  and  alarming,  secure 
administration,  and  pervasive 
denial  of  service  protection.  Tak¬ 
ing  these  measures  will  help  pro¬ 
tect  against  unauthorized  access, 
data  loss,  and  resource  theft.  Fur¬ 
thermore,  intruders  and  suspicious 
application  access  trends  can  be 
tracked  and  reported. 

Voice  application 
security  in  an  IP 
telephony  environ¬ 
ment  includes  the 
security  features  of 
traditional  telephony 
and  adds  the  ability 
to  conduct  private 
phone  calls  in  an 
open  IP  environ¬ 
ment.  Two  basic 
steps  should  be  covered:  Phones 
need  to  be  authenticated  prior  to 
being  used  for  voice  service;  and 
voice  content,  which  otherwise 
may  travel  in  the  clear  on  IP  net¬ 
works,  should  be  encrypted  to  dis¬ 
courage  eavesdropping  attempts 
within  the  enterprise  perimeter. 

The  network  infrastructure 
should  use  intrusion  detection  or 
other  means  to  detect  and  thwart 
attacks.  Phones  themselves  pro¬ 
vide  access  control  and  secure  soft¬ 
ware  updates  in  order  to  prevent 
misuse  and  allow  repair  of  the 
underlying  telephony  platform. 
Remote  access  to  media  servers 
and  gateways  is  strictly  controlled 
to  avoid  disruption  of  the  IP  tele¬ 
phony  service. 

Overall,  authentication  prevents 
the  unauthorized  used  of  media 
gateway  and  media  server  resour¬ 
ces,  minimizes  the  potential  for 
spoofing  attacks  from  unautho¬ 
rized  devices  and  intruders,  and 
minimizes  the  potential  for  loss  via 


“A  security  policy  and 
technical  solutions  must 

be  used  together  to 

protect  the  enterprise 
network.” 


A  d  v  e  r  t  i  s  i  ng  S  up  pi  e  in  ent 


toll  fraud  for  calls  that  terminate 
on  a  carrier  network. 

IP  telephony  communication 
without  media  encryption  is  sus¬ 
ceptible  to  unauthorized  tapping 
attacks  within  the  customer 
LAN/WAN  as  well  as  during  tra¬ 
versal  of  public,  and  possibly 
unprotected,  IP  networks.  Avaya 
utilizes  IP  telephony  traffic  en¬ 
cryption  as  one  mechanism  to  pro¬ 
tect  against  threats  of  disclosure. 
Avaya™  Media  Gateways  and 
Servers  assist  in  negotiating  a 
secure  encrypted  session  lor  voice 
communication  between  Avaya  IP 
endpoints.  This  approach  en¬ 
crypts  the  voice  from  the  origin  to 
the  destination  over  an  enterprise 
LAN/  WAN  so  that  an  IP  sniffer 
cannot  decipher  the  conversation. 
Encryption  of  voice  traffic  thwarts 
eavesdropping  attempts  and  pro¬ 
vides  an  additional  level  of  privacy 
to  IP  telephony  users. 

And  with  its  security  consulting 
services,  Avaya  can  assist  enter¬ 
prises  in  assessing  vulnerabilities 
and  configure  the  specific  level  of 
security-hardening  measures  need¬ 
ed  to  meet  specific  needs. 

An  approach  commonly  de¬ 
ployed  today  for  protecting  IP 
voice  traffic  is  to  encrypt  just  the 
WAN  portion  of  the  IP  telephony 
traffic  using  IPSec  VPNs.  While 
this  approach  protects  a  portion  of 
the  call,  it  leaves  the  LAN  portion 
of  the  call  susceptible  to  eaves¬ 
dropping.  Complete,  end-to-end 
IP  voice  encryption  offers  a 
stronger,  more  private  voice  com¬ 
munication  infrastructure. 

Securing  Access  for 
Maintenance 

Secure  remote  access  for  network 
monitoring  and  maintenance  is  an 
essential  part  of  maintaining  net¬ 
work  and  application  security.  The 
capability  to  automatically  detect 


and  correct  equipment  problems  is 
a  key  step  in  addressing  potential 
security  violations.  A  secure  access 
approach  that  provides  the 
strongest  authentication  means, 
such  as  one-time  passwords  and 
challenge  and  response  techni¬ 
ques,  for  granting  access  to  specific 
equipment  and  applications  with¬ 
in  the  perimeter  is  necessary  lor 
services  and  maintenance.  Using 
strong  authentication  is  particu¬ 
larly  important  in  this  area  since 
maintenance  personnel  require 
access  to  many  sensitive  resources 
of  a  system. 

An  additional  step  for  a  more 
robust  solution — and  greater 
peace  of  mind — involves  placing  a 
special  gateway,  which  customers 
control,  between  maintenance 
personnel  and  equipment. 

A  Trusted  Framework 

A  comprehensive  approach  to 
enterprise  security  can  save 
money,  reduce  risk  against  loss, 
and  enable  new  opportunities. 
The  personnel,  applications,  and 
devices  selected  to  implement  the 
approach  must  have  security 
characteristics  that  afford  the  level 
of  protection  consistent  with 
enterprise  needs. 

One  such  approach  is  the  Avaya 
Trusted  Communications  Frame¬ 
work.  The  Framework  encom¬ 
passes  services,  access,  applica¬ 
tions,  infrastructure  and  man¬ 
agement  to  provide  the  pervasive, 
multilayer  coverage  that  an  enter¬ 
prise  needs.  And  the  Avaya  Enter¬ 
prise  Security  Practice  puts  it  to 
work  every  day. 

This  document  barely  scratches 
the  surface  of  the  many  considera¬ 
tions  for  an  enterprise  intent  on 
protecting  its  networks,  intellec¬ 
tual  property,  and  mission-critical 
data.  To  learn  more  about  how 
Avaya  helps  enterprises  solve 


their  security  challenges,  visit 
www.avaya.com/secure. 


About  Avaya 

Avaya,  a  leading  global  provider  of 
communications  networks  for 
businesses,  is  dedicated  to  protect¬ 
ing  the  ability  to  communicate  at 
any  time,  across  any  network, 
from  any  device.  Every  day  a  mil¬ 
lion  enterprises  around  the  world, 
including  more  than  90  percent  of 
the  companies  in  the  FORTUNE 
500  and  some  of  the  world’s 
largest  government  entities,  rely 
on  Avaya  for  powerful,  secure 
communications  solutions. 

Building  on  a  foundation  of 
security  expertise  from  its  days  as  a 
division  of  AT&T  and  Lucent 
Technologies,  Avaya  designs  secu¬ 
rity  and  continuity  into  all  of  its 
voice,  data  and  converged  solu¬ 
tions — guided  by  the  Avaya 
Trusted  Communications  Frame¬ 
work — and  reinforces  them  with  a 
services  organization  that  provides 
both  consulting  and  24x7  moni¬ 
toring  capabilities. 


For  more 

information  about 
Avaya  Security, 
please  visit  us 
on  the  web  at 

www.avaya.com/secure 


AVAyA 


i •  •' 

;  ;•• ..  :  •- 
j'-  Pp'ji  'i.-,  VM 

X1  '•*'  H-  • 


■  •  ■■■•■•  ■■■.•• 

4>£;  :>r,”.  <  , 


10  www.csoonline.com  Security  Handbook  2004 


FIRST  OFF,  let’s  get  the  credibility  thing  out 
on  the  table.  When  the  editors  of  a  magazine 
called  CSO  staunchly  advocate  for  the  hiring 
of  more  and  more  CSOs,  we  understand  that 
our  motives  are,  well,  open  to  suspicion.  And, 
yes,  it’s  pretty  unlikely  we  would  take  the  posi¬ 
tion  that  there  are  already  enough  (or  even 
too  many!)  CSOs.  Obviously,  there  are  not. 

Thus,  we  remain  undeterred.  Irresistible 
evidence  has  piled  up  during  the  past  10  years 
or  so.  The  development  of  technologies  and 
online  systems  that  both  encourage  legitimate 
and  enable  illegitimate  access  to  an  enter¬ 
prise’s  vital  data  assets  and  operational  con¬ 
trols  has  catapulted  security  from  a  matter  of 
principled  process  hygiene  to  one  of  mortal 
business  peril.  That  is  what  we  believe. 

So  if  you’ve  held  out  this  long  without  hiring 
a  CSO,  either  your  business  operates  exclu¬ 
sively  on  principles  of  risk  avoidance  or  you’re 
tempting  fate  in  ways  that  would  cause  a  lia¬ 
bility  lawyer  to  cringe.  Here  are  five  reasons 
to  post  the  position  right  quick: 

1.  Any  big  lug  (or  lugette)  can  go  out  and 
buy  products  that  will  provide  some  degree  of 
security.  You  just  read  the  marketing  materi¬ 
als,  perform  a  little  due  diligence  and  write  a 
bunch  of  checks.  But  security  amounts  to 
more  than  surveillance  systems  and  firewalls, 
card  readers,  and  intrusion  detection.  Security 
is  a  business  value  that  needs  to  be  embedded 
in  every  system  and  integrated  into  the  way 
employees  think  and  operate.  It  needs  to  be 
understood  and  cared  about  within  the  highest 
business  echelons— not  just  in  the  corporate 
counsel's  office  or  among  members  of  the 
security  team.  For  a  change  like  that  to  occur, 
you’ll  need  an  anointed  executive  leader 
whose  mandate  is  to  create  a  security  culture 
and  architecture.  His  charge  should  not  be  to 
keep  bad  things  from  happening;  it  should  be 
to  create  conditions  that  will  make  bad  things 
less  likely  to  happen.  The  distinction  is  not  as 
subtle  as  it  seems. 

2.  Risk  needs  to  be  seen  in  a  business 
context.  Most  business  activities  entail  some 
quotient  of  risk.  It  remains  to  be  decided  what 
degree  of  risk  tolerance  (or  risk  aversion) 
ought  to  be  assigned  to  those  activities.  Doing 
that  sort  of  analysis,  and  then  driving  toward 
rational  decisions  as  its  outgrowth,  is  a  high- 
level  art  requiring  the  expert  input  of  a  CSO 


ILLUSTRATION  BY  STEPHEN  WEBSTER 


who  consults  closely  with  the  executives  who 
own  the  activities  in  question.  Despite  the 
reflexive  impulse  of  security  practitioners 
toward  absolutism,  risk  and  business  opportu¬ 
nity  are  intertwined  and  must  be  weighed 
together.  A  good  CSO  will  lay  out  the  risks, 
their  potential  for  havoc,  the  cost  of  mitigation 
and  the  likely  impact  of  mitigation  on  the 
quality  of  the  business  opportunity.  In  many 
organizations,  the  ultimate  decision  on  risk 
tolerance  will  belong  to  the  business  owner, 
not  the  CSO.  But  without  the  guidance  of  a 
CSO,  fully  informed  decisions  are  impossible. 

3.  Guiding  the  security  process  shouldn't 
be  done  from  the  bowels  of  the  ship.  If  the 
risks  to  the  business  are  of  board-level  con¬ 
cern— and  they  are— then  security  governance 
ought  to  be  seen  as  important  enough  to  enjoy 
board-level  access.  A  security  group  with  no 
corner-office  clout  is  a  disaster  in  the  making. 
There’s  a  chicken-egg  question  attached  to 
this  proposition.  Consider  the  example  of  the 
chief  information  officer.  Did  information  tech¬ 
nology  become  strategic  when  CIOs  were  cre¬ 
ated  to  lead  it  to  the  promised  land?  Or  was 
the  CIO  position  created  in  recognition  of  IT’s 
strategic  importance?  We  think  it’s  a  little  of 

both.  But  where  the  CSO  role  is  concerned, 
on  the  level  of  the  individual  enterprise,  the 
security  problem  will  resist  solution  until  an 
empowered  executive  takes  the  helm. 

4.  As  a  corollary  to  the  above  (and  we 
know  this  is  slightly  cynical),  no  problem  truly 
gets  adequate  attention  until  someone  is 
made  accountable  for  solving  it.  When  the 
auditors  come  around,  your  CSO  is  exhibit  A  in 
making  the  case  for  your  new  security-minded- 
ness.  Consider,  too,  the  inimitable  Thornton 
May,  an  IT  consultant  who  observed  that  “what 
CSOs  have  done  is,  they’ve  centralized  blame” 
(see  “Why  Security  Needs  to  Blow  Its  Own 
Horn,”  June  2003,  at  www.csoonline.com).  As 
a  result  of  becoming  C-level  players,  CSOs  will 
have  to  fight  that  accountability  battle  one 
boss  at  a  time.  But  if  you  happen  to  be  the 

boss. ...  Isn’t  it  great  to  have  someone  you  can 
hang  out  to  dry  if  things  don’t  go  as  you'd  like? 

5.  Finally,  if  things  do  get  better,  you’ll 
find  your  organization  has  learned  to  bake 
security  into  its  products,  processes,  culture, 
balance  sheet,  reputation  and  asset  base. 

And  that  ain’t  hay.  -Lew  McCreary 


VIEW  FROM  THE  COO  When  we  first 
visualized  the  role  of  CSO  for  our  company, 
MOL  America,  we  had  major  concerns  about 
the  effects  that  this  security  officer  would  have 
on  our  day-to-day  operations.  In  a  large  ship¬ 
ping  company  like  ours,  smooth,  effective 
operations  are  critical.  Every  penny  we  earn, 
it  can  be  argued,  we  earn  through  precise 
logistics. 

For  example,  we  stack  containers  onto 
ships  by  weight  (heaviest  on  the  bottom)  or 
else  may  become  unstable.  We  also  have  a 
process  for  allowing  “late  gates,”  that  is,  con¬ 
tainers  that  arrive  at  port  late  and  are  loaded 
just  a  few  hours  before  the  ship  leaves  port. 

U.S.  Customs  reviews  the  manifests  of  all 
vessels  bound  for  the  United  States.  If  they  do 
not  have  enough  information  to  determine 
the  contents  of  the  container,  Customs  will 
give  us  a  “no  load”  message.  In  other  words, 
“Sit  tight  and  do  not  load  the  container  until 
we  can  investigate  the  cargo  further.”  When 
that  happens,  cargo  cannot 
be  loaded,  service  deterio¬ 
rates,  customers  are  upset, 
and  operations  suffer. 

Nobody  can  afford  to  sit 
tight.  But  newly  minted 
government  regulations, 
crafted  in  reaction  to  Sept. 

11,  are  making  no-load 
orders  more  and  more 
likely.  Consider  that  we 
used  to  prepare  manifests 
for  Customs  as  much  as  five 
days  after  we  loaded  cargo 
and  set  sail.  Under  the  new 
regulations,  we  must  file  a 
list  of  all  cargo  we  plan  to 
take  on  24  hours  before  we 
load  the  cargo. 

So  on  one  hand,  we  were 
worried  about  installing  a 
CSO  because  he  could 
become  a  wrench  in  our 
logistical  gears;  on  the  other 
hand,  we  didn’t  feel  like  we 
had  much  of  a  choice 
because  the  new  regulations 
were  like  a  thousand 
wrenches  in  the  works.  And 
now  we  needed  someone  to 


help  overhaul  our  operational  plans  so  that 
they  took  into  account  compliance  in  the 
United  States  as  well  as  in,  say,  Bangledesh  or 
Hong  Kong. 

We  appointed  James  Galligan  to  become 
our  point  person  on  all  matters  security.  He 
has  been  instrumental  in  helping  us  weather 
the  storm  of  regulations. 

Jim  implemented  a  massive  security’  edu¬ 
cation  effort  on  what  the  new  regs  meant.  It 
was  no  small  effort;  Jim  was  working  with 
multiple  constituencies,  including  customers 
and  MOL  employees.  He  got  them  working 
together  so  that  we  wouldn’t  have  containers 
sitting  in  Sri  Lanka  waiting  for  the  go-ahead 
from  Customs. 

Mainly,  he  was  trying  to  get  our  customers 
to  break  their  old  habit  of  submitting  vague 
descriptions  of  goods  for  what  was  actually 
in  their  containers.  Instead,  he  helped  them 
see  the  importance  of  much  more  specific  lists 
Continued  on  next  page 


Ray  Keene 


EXECUTIVE  VP  AND  COO,  MOL  AMERICA 


SECURITY  O0K 

2 
O 
O 

of  goods.  Or  maybe  he  helped  them  under¬ 
stand  how  many  more  no-load  orders  they’d 
suffer  if  they  didn’t  improve  the  accuracy  of 
their  information.  Whatever  he  did,  it  worked. 
We’ve  experienced  vastly  fewer  no-load  orders 
from  Customs  than  we  thought  we  would  in 
the  wake  of  the  regulations;  Jim  is  largely 
responsible  for  that. 

The  transportation  industry  in  general  has 
a  strong  security  heritage.  In  our  sector,  we 
used  to  call  it  safety,  and  largely  that’s  what  it 
was.  We  were  keeping  assets  safe  around  the 
world,  sometimes  in  volatile  places.  Shipping’s 
safety  culture  is  deeply  ingrained;  for  MOL,  it 
includes  security  management  systems 
approved  by  ISO  standards. 

But,  I  must  admit  that,  historically,  our 
security  to  some  degree  has  focused  on  fraud, 
theft  and  pilfering  of  containers.  These  were 
our  concerns.  Now,  obviously,  our  concerns 
are  much  broader.  In  a  sense,  we’re  building 
new  levels  of  security  into  our  older,  more 
well-established  discipline  of  safety. 

Central  to  that  is  the  CSO.  A  role  that,  when 
we  started  thinking  about  it,  worried  us.  How 
would  a  security  officer  affect  operations? 
Then  it  felt  mandatory,  and  less  than  ideal. 
How  would  he  help  us  cope  with  the  new  reg¬ 
ulatory  realities?  Then  we  saw  the  greater 
benefits  to  operations  from  installing  a  CSO. 

How  could  we  not  have  Jim  as  part  of  the 
executive  team? 


Ray  Keene  is  responsible  for  all  of  MOL  America’s  day-to-day 
operations  in  North  America  and  Latin  America. 


of  security  executives 
surveyed  report  that 
information  security  is  still 
not  a  board-level  priority. 


SOURCE:  AN  INTERNET  SECURITY  ALLIANCE  SURVEY  OF  MORE 
THAN  225  INFOSEC  PROFESSIONALS.  AUGUST  2002 


It  Takes  Two 

CONVERGENCE  You  could  start  a  pretty  good 
dustup  by  telling  an  infosecurity  guy  just  what  the 
physical  security  guy  has  to  say  about  him.  And  vice 
versa.  Not  a  lot  of  love  is  lost  between  the  geeks  and 
the  guards.  Each  side  sniffs  privately  that  it  is  mortally 
galled  by  what  feels  like  a  fundamental  lack  of  respect 
from  the  other.  The  IT  guys  scorn  the  physec  guys  as  a 
bunch  of  burned-out  ex-cops,  and  the  physec  guys  see 
the  geeks  as  arrogant  propeller-heads  who  hide  their 
narrow  focus  behind  an  impenetrable  fog  of  gibberish 
and  acronyms. 

Infosecurity  specialists  "start  with  the  assumption 
that  [everyone  else]. ..won’t  understand  the  technology, 
so  what’s  the  sense  in  even  talking  to  them,”  says 
George  Campbell,  former  CSO  of  Fidelity  Investments 
and  now  president  of  the  International  Security  Man¬ 
agement  Association.  ISMA’s  300-plus  members  take 
the  broad  view  of  secu¬ 
rity  as  a  high-level 
strategic  activity  touch¬ 
ing  virtually  every  enter¬ 
prise  function.  Campbell 
still  seethes  when  he 
describes  one  memo¬ 
rable  encounter  with  an 
IT  security  professional 
who  proposed  a  way  for  corporate  security  types  to 
lend  a  helping  hand  to  the  IT  side:  “Well,  I  suppose  they 
could  collect  the  trash.” 

And  so  it  would  seem  surprising  to  acknowledge 
that  slowly  but  relentlessly,  physical  and  information 
security  are  being  brought  together  in  more  and  more 
organizations  under  a  single  executive’s  guiding  hand. 
The  word  to  use  here  is  convergence. 

“Security  is  security,  whether  it’s  in  the  physical  or 
IT  realm,”  says  Bob  Fox,  CSO  of  Sprint  corporate  secu¬ 
rity.  At  his  company,  says  Fox,  “the  executive  manage¬ 
ment  team  decided  to  consolidate  all  security  into  one 
organization  with  one  leader  who  could  look  out  for  the 
entire  corporation.” 

The  challenge  of  pulling  together  security  domains 
that  have  traditionally  been  divided  by  background, 
skill  set  and  temperament  can  be  a  tall  order.  When 
you  add  in  a  history  of  mutual  contempt,  the  tall  order 
becomes  nearly  mountainous.  The  opportunity  for  an 
integrated  view  of  security,  and  a  streamlined 
approach  to  its  governance,  now  appeals  to  more  and 
more  organizations.  What  all  security  mainly  boils 
down  to  is  risk  management.  Evaluating  threats  and 
calibrating  appropriate  countermeasures  that  don’t 
unduly  shackle  important  business  opportunities  are 
the  main  elements  of  an  effective  security  program. 
Viewing  threats  as  segregated  by  type-physical  as 


opposed  to  digital-becomes  less  and  less  meaningful 
in  a  world  where,  on  one  hand,  digital  systems  control 
many  physical  processes  and,  on  the  other,  where 
physical  attacks  menace  digital  networks. 

Moreover,  the  tools  for  protecting  physical  spaces 
and  for  regulating  access  to  them  are  increasingly  built 
from  information  technologies,  linking  card  readers, 
biometric  sensors  and  surveillance  gear  to  many  of  the 
same  databases  that  control  access  to  networked  digi¬ 
tal  assets. 

On  what  rational  basis  should  custody  of  these  con¬ 
verging  authorization  architectures  be  allocated?  How 
about  accountability  for  their  successful  performance? 
And  who  will  coordinate  the  setting  of  policies  that 
underlie  their  use?  The  answer,  in  many  enterprises,  is 
that  now  security  is  seen  as  one  broad  activity  rather 
than  two  or  more  smaller  ones-often  rife  with  wasteful 

administrative  redun¬ 
dancies  that,  because  of 
the  separation,  remain 
hidden  from  view. 

At  Sprint,  says  Fox, 
developing  dexterity  in 
both  the  physical  and  IT 
arenas  is  increasingly 
important.  “When  we  do 
a  security  assessment,  we  start  with  the  physical  and 
go  through  all  elements  into  the  technical  security. 

Both  sides  are  learning  more  about  each  other.  I  have 
employees  who  have  asked  to  be  moved  into  different 
parts  of  the  security  organization  so  that  they  can 
improve  [either]  their  technical  or  traditional  [security] 
skills.” 

Convergence  leads  to  unified  approaches  to  formu¬ 
lating  security  plans  and  processes.  Consider  termina¬ 
tions,  for  example.  When  an  employee  quits  or  is  fired, 
does  your  company  have  a  coordinated  process  to 
block  her  electronic  access  to  the  building  while  simul¬ 
taneously  shutting  off  e-mail  and  network  privileges? 

“These  days,”  says  Steve  Hunt,  a  research  analyst 
with  Giga  Information  Group,  “threats  are  intertwined. 
The  physical  and  IT  security  guys  have  to  operate  on  a 
coordinated  response  plan  where  everyone's  on  the 
same  page.” 

While  the  trend  is  real,  it  is  not  yet  an  epidemic.  In 
most  enterprises,  the  cultural  barriers  and  organiza¬ 
tional  habits  have  so  far  kept  the  twain  from  meeting. 
But  the  unified  approach  is  a  work  in  progress. 

As  the  benefits  of  convergence  are  reaped,  and  as 
the  difficulties  are  either  overcome  or  proved  insur¬ 
mountable,  a  clearer  verdict  will  arrive.  For  now, 
though,  it  is  something  that  deserves  a  serious  test. 

-Lew  McCreary 


“Security  is  security, 
whether  it’s  in  the 
physical  or  IT  realm.” 

-BOB  FOX,  CSO  OF  SPRINT 
CORPORATE  SECURITY 


12  www.csoonline.com  Security  Handbook  2004 


CISO  Bill  Spernow 
(left)  and  former 
CSO  George  Campbell 
face  off. 


Head  to  Head 


A  frank  conversation  about  merging  IT  and  physical  security 


CSO  V.  CISO  Stating  that 
physical  and  IT  security  should 
merge  is  easy  compared  with 
actually  doing  it.  Here  is  an 
excerpt  of  an  engaging  conversa¬ 
tion  between  leaders  in  their 
respective  fields  about  the  chal¬ 
lenges  of  actually  merging  secu¬ 
rity  under  one  CSO.  George 
Campbell  is  the  former  CSO  of 
Fidelity  and  current  president  of 
the  International  Security  Man¬ 
agement  Association.  Bill  Sper¬ 
now,  CISO  of  the  Georgia  Student 
Finance  commission,  used  to 
work  for  Campbell  at  Fidelity. 

George  Campbell:  People  like  me 
have  no  business  fancying  them¬ 
selves  as  CISOs.  But  there's 
nothing  wrong  with  them  leading 
that  effort  as  part  of  a  global 
security  strategy. 

Bill  Spernow:  The  larger  the 
organization,  the  more  likely  the 


CSO  and  CISO  are  on  a  peer 
level.  In  a  midsize  company,  I’d 
recommend  the  CISO  be  inde¬ 
pendent.  Maybe  he  reports  to 
legal  as  opposed  to  the  IT  depart¬ 
ment.  If  I  see  an  organization 
where  the  CISO  reports  to  some 
IT  component,  I  see  a  position 
that's  not  working,  guaranteed. 

Campbell:  I’d  agree.  The  problem 
with  the  CISO  reporting  to  IT  is 
you  get  the  fox  in  the  henhouse. 
Let  me  ask  you,  to  what  extent 
does  a  CISO's  background 
detract  from  his  ability  to  effec¬ 
tively  lead  and  strategize  for  the 
other  aspects  of  security  that  a 
CSO  controls? 

Spernow:  They  become  techno¬ 
centric.  CISOs  don't  really  grasp 
the  real  physical  threat  or  the 
human  threat.  I  agree  that  having 
a  CISO  take  on  a  CSO  role  is  usu¬ 
ally  a  disaster.  Once  they’ve  been 


exposed  to  it  and  integrate  it  into 
their  mind-set,  they  can  be  effec¬ 
tive.  But  it's  an  uphill  battle  to  get 
them  to  change  their  mind-set. 

Campbell:  On  the  other  hand,  as 
CSOs,  are  we  truly  engaged  with 
the  technology  community  in 
articulating  to  them  what  our 
needs  are?  I  think  the  answer  to 
that  is,  quite  frankly,  no.  It  gets 
back  to  the  notion  of  a  true  part¬ 
nership  [between  the  CSO  and 
CISO].  The  goal  has  to  be  to  pro¬ 
vide  a  total  umbrella  of  protec¬ 
tion  to  the  enterprise.  Otherwise, 
there  are  corporations  where  [the 
two  parties]  will  never  talk.  And 
I  bet  Bill  has  seen  more  cases 
where  a  CISO  and  CSO  didn't  talk 
than  those  where  they  truly  had  a 
partnership. 

Spernow:  Because  each  builds 
his  moat,  and  it  becomes  an  ego 
issue.  CISOs  see  CSOs— without 


the  infosecurity  role— as  those 
whose  methodologies  are  proven 
from  a  tactical  perspective.  That 
allows  them  to  be  totally  strate¬ 
gic.  CISOs  are  are  always  dealing 
with  new  developments,  so  we 
have  to  bounce  between  tactical 
and  strategic. 

Campbell:  But  if  you  take  away 
infosecurity,  that  person  isn't 
really  a  CSO  anymore.  The  notion 
of  a  CSO  must  extend  to  all 
aspects  of  protecting  assets, 
including  information  assets. 

The  sad  thing  is  the  need  to  even 
have  a  debate  like  this.  When  you 
peel  it  back,  we’re  all  in  the  same 
business.  We’re  all  here  to  pro¬ 
vide  integrated  controls.  Inte¬ 
grated.  Underscore  that.  I  have 
to  think  about  being  prepared  to 
work  with  information  security 
executives;  and  when  it  hits  the 
fan,  they  have  to  be  prepared  to 
help  me. 


PHOTO  BY  SONNY  WILLIAMS  AND  DANA  SMITH 


Security  Handbook  2004  www.csoonline.com  13 


80% 


62% 


40% 


30% 


Entry  badges  for  premises  access 


Policy  training  for  employees 


Employee  e-mail  monitoring 


Restrict  Internet  for  personal  use 


deserve  neither  liberty  or 

security.  -BENJAMIN  FRANKLIN 


SOURCE:  "ENTERPRISE  SECURITY  TRENDS,"  AN  AUGUST  2002 
GARTNER  SURVEY  OF  422  COMPANIES  IN  A 
VARIETY  OF  INDUSTRIES 


“They  who  would 

ive  up  an  essential  jibei 


SECURITY 

2 

O 


Security  policies  posted  on  company  intranet 


Actuarially  Speaking 

CYBERSECURITY  INSURANCE  WILL  HAVE  A  PROFOUND 
EFFECT.. .ONCE  IT  FINALLY  ARRIVES 

In  1882,  fire  sprinklers  were  a  hard  sell.  Clever  purveyors  of  said  sprinklers  were  even  known  to  torch 
old  mills  equipped  with  the  new  invention  for  the  benefit  of  an  audience  of  mill  proprietors.  Even  so,  mill 
owners  didn't  much  go  for  sprinklers.  That  is,  until  fire  insurance  companies  started  adjusting  premiums 
based  on  whether  a  mill  had  installed  sprinklers.  That  opened  the  (ahem)  floodgates,  and  within  months 
fire  sprinklers  were  everywhere. 

Infosecurity  needs  the  same  kind  of  goose  from  the  insurance  industry. 

Security  experts  believe  that  cybersecurity  insurance  policies,  with  adjustable  premiums  based 
both  on  what  technology  an  organization  uses  and  its  standard  security  practices,  will  set  off  a  chain 
reaction:  Buyers  will  seek  products  that  lower  their  premiums:  vendors  will  compete  to  make  such 
products:  and  our  critical  infrastructure  will  improve  beyond  its  current,  dubious  state. 

Actually,  that  was  supposed  to  have  happened  by  now.  Researchers  from  both  the  private  and  public 
sectors  had  already  developed  some  of  the  first  actuarial  data  on  the  cost  benefits  of  higher  security  as 
early  as  2001.  Cybersecurity-specific  insurance  plans,  albeit  primitive  and  limited,  were  gaining  purchase 
around  that  time;  the  listless  insurance  industry  needed  to  develop  new  products  to  boost  its  own  busi¬ 
ness.  That’s  how  Dave  O’Neill,  vice  president  of  e-commerce  solutions  at  insurancer  Zurich  North  Amer¬ 
ica,  saw  it  anyway.  O’Neill  was  developing  a  cybersecurity  insurance  plan  for  Zurich  North  America,  and 
at  that  time  he  said  eagerly,  “It's  a  whole  new,  very  fantastic  arena.  By  the  end  of  2002,  it’ll  be  a  whole 
different  landscape.  We’ll  know  much  more  scientifically  how  to  do  this.” 

Then  9/11  happened,  and  plans  were  put  on  hold.  The  already  sluggish  insurance  industry  had  to 
pay  out  $40  billion  relative  to  the  tragedy.  It  was  hardly  the  time  to  expand  products,  especially  into  a 
field  that  was  still  hard  to  define.  And,  in  fact,  most  insurance  companies  pulled  back  on  cybersecurity 
insurance. 

In  June  2002,  however,  the  idea  regained  some  steam,  this  time  under  the  guise  of  national  security. 
The  Bush  administration,  keen  on  letting  market  forces  drive  cybersecurity,  championed  the  concept 
as  a  way  to  spark  companies  into  more  carefully  stewarding  the  critical  infrastructure. 

So  far,  though,  it  hasn’t  worked.  Infosecurity  insurance  isn’t  yet  a  must-have  item.  CSOs  and  CISOs 
would  love  to  have  it,  though.  Many  of  them  believe  it’s  the  only  motivating  force  that  will  kick  IT's 
behind— pull  the  tech  sector  out  of  its  slipshod  practices  and  into  the  real  world,  where  lax  security 
practices  aren’t  tolerated.  Where  everyone  has  fire  sprinklers.  -Scott  Berinato 


What  Your  CSO  Can  Tell  You 
About  Employee  Monitoring 


SURVEILLANCE  There’s  a  right- 
and  wrong— way  to  check  up  on  employ¬ 
ees.  The  harm  from  doing  it  badly  could 
outweigh  the  harm  from  not  doing  it  at 
all.  Here  are  a  half  dozen  lessons  from 
the  trenches  (and  courtrooms): 

1.  You  have  good  reasons  to  snoop. 

Employees  don’t  always  do  the  right  thing. 
Legal  precedents  affirm  an  employer’s 
right  to  patrol  its  networks  and  other 
equipment  to  enforce  policies,  protect 


trade  secrets  and  intellectual  property, 
guard  against  liabilities  arising  from 
sexual  harassment  and  other  offensive 
behavior,  and  otherwise  ensure  productive 
use  of  company  assets  and  work  time. 
Increasingly,  employee  monitoring  is  not  a 
choice;  it’s  a  risk-management  obligation. 

2.  Spying  on  people  can  be  distasteful. 

Some  CSOs  prefer  to  leave  the  invasive 
monitoring  stuff  to  direct  managers.  (And, 
take  note:  Employee  monitoring  should 


never  become  a  default  substitute  for 
effective  management  practice.)  The 
reality,  however,  is  that  businesses  are 
increasingly  turning  to  monitoring  and 
surveillance  to  enforce  compliance  with 
company  policies.  (A  2001  American 
Management  Association  survey  showed 
that  82  percent  of  respondents  used  some 
form  of  electronic  monitoring.) 

3.  Publish  a  policy  and  explain  clearly 
why  it  exists.  The  main  reason  for  dis- 


14  www.csoonline.com  Security  Handbook  2004 


The  Orwell 
Factor 

PRIVACY  Security  and  pri¬ 
vacy  can  be,  as  with  many  sib¬ 
lings,  close  but  combative.  They 
are  often  pitted  against  each 
other  in  a  struggle  that  privacy 
seems  destined  to  lose. 

The  conflict  between  the  two 
is  especially  evident  in  the  De¬ 
partment  of  Defense’s  proposed 
Total  Information  Awareness 
project  intended  to  mine  infor¬ 
mation  from  commercial  data¬ 
bases  and  personal  e-mails  for 
use  in  the  war  on  terrorism. 
TIA’s  security  merits  are  as  yet 
unproven,  but  the  concept  has 
already  raised  the  hackles  of  pri¬ 
vacy  advocates  who  see  it  as  an 
all-too-convenient  way  for  the 
government  to  spy  on  citizens. 

Barbara  Simons,  cochair  of  the 
U.S.  Public  Policy  Committee  of 
the  Association  for  Computing 
Machinery,  complains  that  the 
Pentagon  has  not  been  forth¬ 
coming  with  details  on  who  will 
have  access  to  information  mined 
by  TIA.  “Whenever  there  are 
large  databases  about  people, 
there’s  a  risk  that  they’re  going  to 
be  compromised,  and  we  don’t 


know  pre¬ 
cisely  what  [the 
Pentagon]  has  in 
mind,”  says  Simons. 

As  the  government  comes 
knocking  for  information,  and 
companies  step  up  their  own  sur¬ 
veillance  procedures,  privacy 
will  become  a  highly  pressurized 
issue.  Line-of-business  execu¬ 
tives— especially  those  in  such 
regulated  industries  as  health 
care  and  financial  services— will 
play  a  critical  role  in  keeping 
their  companies  on  the  right  side 
of  both  customers  and  the  law. 

Executives  of  companies  doing 


business  abroad  should  also  be 
aware  of  the  different  interna¬ 
tional  laws  that  govern  the  use  of 
customer  information.  When 
Citibank  and  the  Deutsche  Bahn, 
Germany’s  national  railway, 
agreed  to  cobrand  a  credit  card  in 
the  mid-1990s,  the  German  data 
protection  commissioners  turned 
a  relatively  simple  arrangement 
into  a  logistical  nightmare.  They 
forced  Citibank  to  develop  an 


expensive 
contractual 
solution  to  put  limits 
on  the  use  of  customer  informa¬ 
tion.  Simon  Davies,  director  of 
London-based  Privacy  Interna¬ 
tional,  estimates  that  the  nine- 
month  project  delay  may  have 
cost  Citibank  anywhere  from 
$10  million  to  $50  million  in  lost 
opportunities  and  legal  expenses. 

Companies  that  turn  their 
noses  up  at  privacy— even  in  the 
name  of  security— could  face 
similar,  and  perhaps  prohibi¬ 
tive,  costs.  -Daintry  Duffy 


connects  around  corporate  motives  for 
monitoring  is  that  communication  tends  to 
be  so  poor.  Even  companies  with  developed 
policies  often  tuck  them  into  the  recesses  of 
the  employee  handbook.  Open  communi¬ 
cation  is  the  key  to  formulating  a  policy 
and  putting  it  into  practice.  Matters  can’t 
be  left  to  the  imagination.  Organizations 
must  clearly  educate  employees  about  what 
unacceptable  behavior  is  or  isn’t. 

4.  Don’t  sneak  up  on  the  workforce. 

Let  them  know  that  monitoring  is  occur¬ 
ring.  “Companies  need  to  explain  in  clear 
language  what  type  of  surveillance  is  tak¬ 
ing  place  and  distribute  it  so  employees 


know  what  they’re  getting  into,”  says 
Frederick  Lane,  author  of  The  Naked 
Employee:  How  Technology  Is  Compromis¬ 
ing  Workplace  Privacy.  Publically  posted 
reminders  of  surveillance  can  help.  Such 
information  can  save  you  legal  headaches 
down  the  road,  says  Lane.  “A  lot  of  litiga¬ 
tion  arises  out  of  the  shock  of  employees 
discovering  that  they  are  under  surveil¬ 
lance,”  he  says. 

5.  Fay  heed  to  equal  monitoring.  For 

legal  reasons,  it’s  important  that  monitor¬ 
ing  be  applied  to  every  employee  equally. 
“You  can’t  routinely  watch  the  activities  of 
younger  people  more  than  older  people  or 


to  do  surveillance  by  race,”  says  Deborah 
Weinstein,  a  labor  and  employment  law 
attorney  at  the  Philadelphia  firm  of  Eckert, 
Seamans,  Cherin  &  Mellott. 

6.  Pay  heed  to  equal  enforcement. 

Spotty  or  selective  enforcement  is  worse 
than  no  enforcement  at  all  and  could, 
moreover,  open  the  door  to  claims  of 
wrongful  dismissal.  In  a  situation  where 
a  pattern  of  lax  enforcement  has  taken 
the  teeth  out  of  a  policy,  when  someone 
is  eventually  terminated  for  violating  the 
policy  in  a  sufficiently  egregious  way 
the  company  is  vulnerable  for  a  discrimi¬ 
nation  lawsuit.  -D.D. 


ILLUSTRATION  BY  PATRICK  MEREWETHER 


Security  Handbook  2004  www.csoonline.com  15 


■iJ-  ■ 


ALARM 


ALARM 


ALARM 


■n*"-  " 


ALARM 


ALARM 


ALARM 


ALARM 


ALARM 

ALARM 

|' 

^  ,*v  ...  I  '  ' 

—w||,iiiiiiwiiii  i  .  <«tir 

■v tty- 

1  -  t.  ,-r . . 

i  •  • 

:4 

I  ■  '  V,< 

V  '«« 

’ 


U 


' 


BETTER  MANAGEMENT  DOES. 


The  secret  to  a  secure  enterprise  lies  in  not  just  monitoring  the  parts,  but  managing  it  as  a 
whole.  That's  exactly  what  eTrust,M  lets  you  do.  In  fact,  our  eTrust™  Security  Command  Center 
is  the  perfect  solution  to  security  information  overload.  It  gives  you  the  big  picture  from  a  single 
vantage  point,  with  all  your  event  information  prioritized.  So  you  can  identify  actual  internal 
and  external  threats  before  they  can  wreak  havoc.  Anything  less  would  be,  well,  alarming. 
For  more  information  on  security  management,  go  to  ca.com/etrust/mcrhagement.  ■ 


ACCESS  •  THREAT  •  IDENTITY 

SECURITY  MANAGEMENT  SOFTWARE 

©2003  Computet  Associates  International,  Inc  (CA).  All  rights  reserved  :  /  ’  .  *  •  , 

f>*  V  •  \  '.  t;/*,'  ••  'i 

•  •  '  ''  *  •  JV  j’  f.,5  ’  ' 

•  .  •  '  ..  vyv  't\  . 


eTrust™ 


Computer  Associates® 


FINDING  AN  EXECUTIVE  who  possesses  the 
potpourri  of  security  skills  necessary  to  suc¬ 
ceed  in  the  CSO  role  can  be  a  formidable  chal¬ 
lenge.  Actually  finding  one  who  also  possesses 
the  critical  but  intangible  qualities  of  leader¬ 
ship,  vision  and  integrity  can  seem  next  to 
impossible.  But  the  search  for  a  qualified  CSO 
doesn’t  have  to  be  a  frustrating  odyssey.  Here 
are  some  hints  on  where  to  look  and  what  to 
look  for  when  filling  the  top  security  spot. 

1.  Steal  a  CSO  With  a  small  pool  of  quali¬ 
fied  candidates  and  an  increasing  demand  for 
their  services,  chances  are  pretty  good  that  the 
CSO  you  want  may  already  be  doing  the  job  at 
another  company.  Tracy  Lenzner,  CEO  of 
LenznerGroup,  an  executive  search  company 
that  specializes  in  CSO  and  CISO  hires,  notes 
that  many  organizations  find  their  candidates 
at  other  companies  and  lure  them  to  their  new 
job.  "[CSOs  want  to  know]  what  kind  of  author¬ 
ity  and  visibility  they’ll  have,”  says  Lenzner. 
“Some  have  strong  egos.  They’re  visionaries, 
and  they’ll  want  to  strategize.  The  ability  to 
make  changes  and  get  results  is  what  they 
hunger  for.”  A  CSO  who  is  frustrated  in  any 

of  those  areas  is  just  ripe  for  the  pickin’. 

2.  Forget  the  Title  Titles  mean  different 
things  at  different  companies,  especially  in  the 
security  world.  Those  who  hold  titles  similar  to 
a  CSO— such  as  CISO,  director  or  vice  presi¬ 
dent  of  security— shouldn’t  be  disregarded. 
Often  those  individuals  are  performing  many 
of  the  same  functions  as  a  CSO  or  have  been 
primed  in  a  secondary  role  to  eventually  rise 
to  a  CSO  position. 

3.  Look  for  a  Star  Although  the  security 
industry  is  small  and  quite  insular,  it  has  its 
superstars.  “A  renowned  name  can  be  a  plus,” 
says  Lenzner.  “It  can  bring  instant  credibility 
and  is  usually  desired  in  a  highly  political  envi¬ 
ronment  or  one  that  requires  a  high  level  of 
integrity  and  industry  standing.”  In  addition, 
CSOs  who  work  the  conference  circuit  and  are 
sought  after  as  speakers  and  commentators 
often  have  connections  within  the  industry  and 
within  government  that  can  be  useful  to  an 
employer.  However,  Lenzner  also  cautions 
companies  that  are  tempted  to  hire  a  security 
heavyweight  that  a  big  name  is  no  substitute 
for  performing  due  diligence  prior  to  making 
the  hiring  decision.  "As  we  know  from  Holly¬ 
wood,  there  are  always  new  superstars  on  the 
horizon,”  she  says. 


ww.csoonline.com  Security  Handbook  2004 


ILLUSTRATION  BY  STEPHEN  WEBSTER 


"V  r-S1*" 
■'  -.rviiS? 


4.  Scout  the  Services  The  military,  law 
enforcement  and  three-letter-government- 
agency  types  have  traditionally  been  a  rich 
pool  of  CSO  candidates.  But  while  many  of 
those  individuals  have  the  necessary  CSO 
personality  traits— strong  leadership  skills 
and  an  understanding  of  the  importance  of 
character  and  ethics— they  sometimes  lack 
the  technical  expertise  to  command  the 
respect  of  the  IT  group  and  the  communica¬ 
tion  skills  necessary  to  form  critical  executive 
partnerships  internally.  One  Fortune  100  CSO 
notes  that,  “Although  I  have  a  great  deal  of 
admiration  for  the  FBI  and  people  who  have 
worked  in  the  CIA  or  the  Secret  Service,  I’m 
seeing  a  move  away  from  that  model." 

Regardless  of  where  you  find  a  CSO  candi¬ 
date,  certain  experiences  and  qualifications  can 
set  the  best  apart  from  the  rest.  Many  of  the 
requirements  that  Lenzner  suggests  are  clearly 
visible  on  a  resume  or  easily  discovered  in  a 
preliminary  interview.  They  should  have: 

■  Service  in  a  security-related  position 

■  A  demonstrated  ability  to  gain  confidence 
and  credibility  of  executive  leadership 

■  A  CPP  and/or  CISSP  certification 

■  Ten  or  more  years  of  experience  in 
information  security  (for  CSOs  in  IT- 
heavy  industries  such  as  finance) 

■  Strong  knowledge  of  IT  security,  anti¬ 
terrorism  and  cyberrisk  issues 

Of  course  there  are  plenty  of  duds  out 
there,  but  they  are  easily  identified  if  you 
know  what  you're  looking  for.  CSO  candidates 
that  are  arrogant  or  have  a  short  fuse  proba¬ 
bly  lack  the  finesse  to  gain  consensus  on 
security  initiatives.  Resumes  that  exhibit  a 
lack  of  consistency— for  example,  they’ve 
been  bouncing  from  job  to  job  rather  than 
steadily  progressing  to  a  security  leadership 
position— should  be  another  red  flag. 

The  best  step  a  company  can  take  to  land  a 
good  CSO  is  to  work  backward.  Figure  out 
what  you  want  and  need  from  a  security  exec¬ 
utive  before  starting  the  search.  “You  have  to 
know  what  the  organization’s  strengths  are 
and  the  areas  that  you  want  to  improve  on. 
Then  ask  yourself  what  you  want  to  achieve,” 
says  Lenzner.  Remember:  Even  the  best  CSOs 
will  be  doomed  to  failure  if  they  can’t  figure 
out  the  role  you  want  them  to  play. 

-Daintry  Duffy 


Peer 


4-^ 

r  i  \  I — (— 


VIEW  FROM  A  RECRUITER 

Qualifications  for  a  CSO  continue  to 
evolve,  save  one  prerequisite  that 
remains  constant:  leadership. 

Whether  by  regulatory  mandate, 
board  directive,  or  simply  a  sense  of 
responsibility  to  the  company  and  the 
community,  you’ve  decided  to  create  the 
position  of  CSO  and  hire  one.  It’s  not 
unusual  at  this  point  to  have  a  profound 
sense  of  “Now  what?” 

You’re  now  stuck  hunting  a  rare 
species.  In  recruiting  executive  security 
professionals  for  six  years  now,  I  can 
safely  say  that  one  of  the  few  constants 
about  the  position  is  that  there  is  always 
a  shortage  of  qualified  candidates. 

You’ll  be  inundated  with  resumes, 
anyway.  All  of  them  will  boast  of  a  cer¬ 
tain  pedigree  from  the  military,  law 
enforcement  or,  more  recently,  the 
intelligence  community.  While  it’s  true  that 
the  majority  of  CSOs — those  who  hold  domin¬ 
ion  over  corporate  security  as  a  whole  and  not 
just  IT  security— can  be  found  among  these 
ranks,  it’s  also  true  that  this  background  alone 
does  not  a  qualified  CSO  make. 

The  best  CSOs,  in  fact,  understand  that 
they  can’t  simply  transplant  military  or  police 
experience  into  the  corporation,  but  rather 
they  must  adapt  that  experience.  The  same 
holds  true  for  IT  security  specialists  looking  to 
move  up  the  ranks  to  a  broader  security  role. 

Many  candidates  don’t  get  this.  I  remember 
one  candidate  who  thought  he  had  the  pedi¬ 
gree  for  a  CSO  position  at  a  Fortune  500  com¬ 
pany,  but  he  stomped  his  way  through  the 
interview  process  like  a  cop,  playing  the  role  of 
the  authority  figure  and  the  enforcer. 

The  company,  naturally,  was  turned  off  and 
decided  that,  while  he  was  technically  quali¬ 
fied,  his  personality  wasn’t  going  to  fit  in. 
When  the  candidate  heard  the  news,  he  lashed 
out,  almost  like  a  child,  yelling  and  screaming 
about  how  stupid  the  company  was  for  not 
choosing  such  a  qualified  candidate.  He  sim¬ 
ply  couldn’t  understand  why  it  didn’t  pick 
him.  I  could  see  why  right  away. 

On  the  other  hand,  when  my  recruiting  job 
is  easy,  it’s  really  easy.  As  tired  as  the  cliche  is, 
the  best  CSO  candidates  are  a  cut  above  all  the 
others.  There’s  nothing  on  a  resume  that  will 


CEO  OF  LENZNERGROUP 


delineate  that.  It’s  the  intangibles.  The  appli¬ 
cants’  ability  to  communicate,  to  listen,  but 
also  to  provide  a  sort  of  discipline.  They 
remain  cool  under  pressure.  They’ve  handled 
crises.  They  are  usually  entrepreneurial— and 
you  see  this  now  as  many  good  CSOs  take  it 
upon  themselves  to  go  back  to  school  and  get 
MBAs,  recognizing  the  increasing  importance 
of  a  solid  business  background. 

CSOs  also  have  an  ethical  grounding  that, 
frankly,  is  just  stronger  than  most  people’s. 
Good  CSO  candidates  exude  leadership.  I 
would  argue  that  the  CSO  position  requires 
the  most  dynamic  leadership  in  the  company 
after  that  of  the  CEO. 

No  wonder,  then,  that  this  is  a  rare  species. 
The  harsh  truth  may  be  that  some  companies 
will  hire  a  CSO-in-training— someone  on  the 
path  to  becoming  that  ideal  leader  but  who 
hasn’t  yet  gotten  there.  That  wall  require  extra 
support  for  the  development  of  the  executive 
from  the  rest  of  the  executives  but  will  be  well 
worth  it.  You’d  rather  hire  someone  like  that 
than  someone  like  the  guy  who  lashed  out  at 
not  getting  the  job. 

The  evolving  relationship  between  physical 
security  and  IT  security  is  another  factor  to  con¬ 
sider.  When  I  started  recruiting  security  execu¬ 
tives,  it  was  right  before  the  Internet  really  took 
off",  and  I  predicted  that  the  CISO  role  would  rise 
Continued  on  next  page 


Security  Handbook  2004  www.csoonline.com 


PHOTO  BY  RONALD  DOTZLER 


£  O  O  to 


SECURITY  vOOK 


in  prominence  to  the  executive  level— sitting  in 
a  very  key  part  of  the  organization. 

I  was  wrong.  The  future  of  the  CSO  will 
combine  the  traditional  security  group  with  IT 
security.  That  means  a  CSO  will  need  to  cross 
worlds  (because  the  good  ones  are  entrepre¬ 
neurial,  they’ll  go  get  the  skills  they  need),  but 
don’t  get  hung  up  on  a  phy-sec  specialist  need¬ 
ing  massive  amounts  of  technical  proficiency, 
or  vice  versa. 

Far  more  crucial  than  that,  the  good  CSO 
will  play  the  role  of  orchestra  conductor.  He’ll 
know  how  to  get  the  best  from  the  string  sec¬ 
tion  and  the  brass  section,  and  he’ll  get  them 
to  play  well  together  under  the  guidance  of  his 
baton. 

Beyond  the  merging  of  tactical  disci¬ 
plines,  the  scope  of  the  CSO  role  and  its 
presence  in  the  corporation  will  continue  to 
grow,  to  evolve.  I  see  the  CSO  serving  the 
board  in  fiduciary  and  ethics  issues— as  dic¬ 
tated  by  legislation  such  as  Sarbanes- 
Oxl ey— almost  becoming  the  board’s  ethical 
consultant.  But  what  will  remain  a  constant 
is  the  need  for  that  CSO  to  be  a  leader  and 
not  just  a  manager. 

Tracy  Lenzner  has  been  recruiting  security  executives  for 
more  than  six  years. 


SAFE'fY  IN  NUMBERS 

Length  of  Fraud  Schemes 

For  every  fraud  scheme  that  lasts  only  a 
month  there’s  one  that’s  been  going  on 
for  10  years. 


34% 

1  to  11 
months 


Between  1 
and  3  years 


Less  than 
1  month 


Security  Starts  at  the  Top 


GOVERNANCE  People 
in  the  security  industry  don’t 
agree  about  everything,  but 
on  the  following  point  they 
generally  see  eye-to-secu- 
rity-conscious-eye:  Weak¬ 
nesses  in  user  practices 
pose  a  greater  threat  to  an 
organization’s  security  than 
do  any  vulnerabilities  related 
to  technology. 

Building  a  secure  organi¬ 
zation  requires  a  culture 
change  on  every  level.  That’s 
why,  despite  the  fact  that 
the  security  minutiae  may 
fall  to  the  CSO,  ultimate 
responsibility  for  a  com¬ 
pany’s  security  lies  with  the 
entire  executive  team.  So  as 
an  executive,  it’s  crucial  for 
you  to  know  what  you  can  do 
to  turn  users— forgetful 
users,  careless  users,  dis¬ 
tracted  users— into  the  first 
line  of  security  defense 
instead  of  your  company’s 
biggest  vulnerability. 

The  first  step?  Recog¬ 
nize  the  dangers  that  lack¬ 
adaisical  users  can  wreak 
on  a  company’s  security. 

The  next  time  your  CSO 
says,  “Have  you  heard  the 
one  about  the. ..(insert  hor¬ 
ror  story  here)?”  listen 
closely.  Maybe  it’s  a 
health-care  employee  who 
unwittingly  made  hundreds 
of  medical  records  avail¬ 
able  on  the  Internet,  or  an 
office  assistant  who  fell  vic¬ 
tim  to  a  hacker’s  wiles  and 
shared  company  pass¬ 
words.  Pay  attention  to  the 
repercussions  executives 
of  the  unfortunate  compa¬ 
nies  suffered.  Were  they 
sued?  Humiliated  in  the 
industry?  You  could  be  too. 

Your  next  step  is  to  begin 
to  recognize  what  your  com¬ 


pany  can  do  to  protect  itself. 
In  most  cases,  the  strongest 
defense  is  a  watertight  secu¬ 
rity  policy.  Don’t  know  if  your 
company  has  one  of  those? 
Find  out.  Ask  the  CSO  to  take 
you  and  the  rest  of  the  execu¬ 
tive  team  through  it  step  by 
step.  The  security  policy 
should  be  written,  easy  to  fol¬ 
low  and  readily  available  to 
everyone  in  the  company. 

Once  the  executive  team  is 
familiar  with  the  security  pol¬ 
icy,  the  next  step  is  to  make 
sure  employees  are  following 
it.  While  that  doesn't  mean 
the  CEO  should  perform  spot 
checks  on  employees'  desk¬ 
tops,  it  does  mean  that  the 
plans  for  educating  the  entire 
company  should  be  clear.  Do 
employees  go  through  secu¬ 
rity  training?  What  kind,  and 
how  often?  Is  the  executive 
team  comfortable  with  the 
level  and  amount  of  training 


required?  How  does  the  secu¬ 
rity  team  communicate  pol¬ 
icy  updates?  Are  department 
managers  responsible  for 
enforcing  security  rules?  If 
so,  do  they  know  that? 

Finally— and  this  is  where 
your  leadership  skills  should 
come  into  play— lead  by  ex¬ 
ample.  Be  beyond  reproach 
in  your  meticulous  attention 
to  the  security  policy.  Take 
extra  care  with  your  pass¬ 
words.  If  members  of  the 
executive  team  make  it  their 
responsibility  to  become  the 
most  security-conscious  peo¬ 
ple  in  the  building,  the  rest  of 
the  company  should  eventu¬ 
ally  follow  suit.  You  and  the 
other  executives  in  your  com¬ 
pany  might  not  think  security 
is  the  most  interesting  part  of 
your  job.  But  it’s  a  safe  bet 
that  it’s  one  of  the  most 
important. 

-Meg  Mitchell  Moore 


Here’s  a  to-do  for  CEOs  who  want  to  lead  by  example:  Sit  down  with 
the  CSO  and  create  a  one-page  document  that  plainly  states  the  cor¬ 
porate  security  philosophy.  No,  not  a  mushy  mission  statement,  says 
former  CISO  Stephen  Northcutt,  who  now  oversees  security  training 
and  certification  at  the  SANS  Institute.  “It  must  state  that  security  is 
important,”  he  says,  “but  more  than  that,  it  must  say  that  this  is  what 
f,  the  CEO,  believe  about  the  importance  of  security.  It  has  to  have 
teeth.  Facts.  That  will  create  a  formal  directive  from  the  top,  and  that 
a  security  violation  is  a  violation  of  what  the  CEO  believes  in.” 

And  don’t  stop  there.  Enforce  the  document.  Most  of  the  time,  North¬ 
cutt  says,  a  security  policy  falls  apart  because 
enforcement  of  it  is  weak,  and  punishment 
~  for  infringements  are  inconsistent. 

Tv  SANS  itself  has  just  such  a  docu- 

'  ment,  Northcutt  says.  “We  had  an 

"  employee  terminated  for  acciden¬ 

tally  sending  out  a  spreadsheet 
J||^  .  that  was  proprietary.  Now,  you 

■  might  think,  wow,  that’s  harsh.  But 

m  it’s  not.  It’s  policy.  It’s  written  down 

y  and  endorsed  from  the  top.” 

-Scott  Berinato 


20  www.csoonline.com  Security  Handbook  2004 


PHOTO  BY  GETTY  IMAGES 


What  is  the  CSO's  background? 


PHOTO  BY  STEPHEN  WEBSTER 


33% 

29% 

QO/  11% 

M  ■  a  a 


SOURCE:  73  CIOS,  CISOS  AND  CHIEF  RISK  OFFICERS.  FROM  "THE  STATE  OF  THE  CSO"  SURVEY  CONDUCTED  SPRING  2003.  RESPONDENTS  COULD  CHOOSE  MORE  THAN  ONE  ANSWER. 


Immune  Systems 


SOFTWARE  SECURITY  Computer  viruses,  like 
human  viruses,  are  not  democratic.  Some  organizations 
have  tremendous  problems  with  viruses,  others  don’t. 

There  are  other  similarities  between  digital  viruses 
and  their  biological  analogue.  The  first,  of  course,  is  com¬ 
municability:  Both  kinds  of  viruses  spread  from  infected 
systems  to  ones  that  are  apparently  healthy.  Another  is  the 
potential  for  harm:  Most  viruses  are  a  mere  annoyance,  but  others 
can  do  serious  damage. 

But  there  is  a  key  difference:  Unlike  human  viruses,  there  are 
proven  measures  one  can  take  to  protect  oneself  from  computer  bugs. 

First  and  foremost,  get  some  antivirus  software,  right?  Wrong. 
You  do  need  it,  but  it’s  not  the  most  important  defense  mechanism. 
The  most  important  way  for  a  CSO  to  combat  computer  viruses— 
and  many  other  problems  as  well— is  to  back  up  data.  That  will 
require  your  CSO  to  institute  a  comprehensive  and  well-conceived 
plan— which  is  different  from  just  buying  some  software  and  sched¬ 
uling  a  copy.  Make  sure  every  computer  that  has  active  data  is 
backed  up;  some  organizations  back  up  just  their  servers,  only  to 
discover  that  employees  have  been  keeping  critical  files  on  their 
desktop  and  laptop  computers.  Other  organizations  cut  costs  by 
copying  data  from  one  server  to  another.  That  is  a  potential  trap: 

An  aggressive  computer  virus  might  jump  from  one  machine  to 
another  and  wipe  out  files  on  both. 

Then,  once  the  backup  is  in  place,  it’s  time  to  think  about  anti¬ 
virus  software. 

“The  virus  problem  got  significantly  worse  when  the  virus  writers 
discovered  e-mail  worms,”  says  computer  security  consultant 
Richard  Smith,  who  helped  track  down  the  author  of  the  Melissa 


worm  in 

1999.  “E-mail  worms  spread 
much  more  quickly  than 
viruses  do  via  floppy  disks  and 
Word  documents.  Internet  connec¬ 
tivity  makes  for  a  fertile  breeding  ground  for  e-mail  worms.” 

To  prevent  an  attack  by  e-mail,  you  must  run  an  antivirus 
system  on  either  your  mail  server  or  on  every  client  workstation. 
Most  organizations  prefer  filtering  at  the  server,  since  it  is  easier  to 
administer  a  single  antivirus  system.  On  the  other  hand,  many  users 
will  also  check  their  personal  e-mail  while  at  work,  so  the  most  solid 
security  comes  by  running  antivirus  software  at  both  locations.  On 
top  of  that,  many  companies  diversify  their  defenses  by  running  two 
or  more  different  companies’  antivirus  programs  simultaneously. 
That’s  in  case  one  company’s  research  leads  it  to  protect  against  a 
virus  another  hasn’t  yet  caught. 

But  well-thought-out  data  backup  is  still  the  key  defense  against 
viruses.  It’s  acknowledging  that  you  can’t  stop  viruses,  you  can  only 
hope  to  contain  them.  It’s  also  just  good  computer  security  policy. 

-Simson  Garfinkel 


Information  systems  and  military 
experience  are  the  most  common 
threads  in  CSO  backgrounds  today... 

78% 


CSO 


www.csoonline.com 


Security  Handbook  2004 


...and  technical  certification  is  more 
prevalent  than  business  education. 


Which  of  the  following  degrees  and  certifications 
does  your  CSO  hold? 


£  O  O  10 


SECURITY 


Required  Reading 


Catch  this  if  you  can. 

The  Art  of  the  Steal:  How  to  Protect 
Yourself  and  Your  Business  from 
Fraud,  America’s  #1  Crime 

Frank  W.  Abagnale  Broadway  Books,  2001 
The  subject  of  the  Steven  Spielberg  movie  Catch 
Me  If  You  Can,  Abagnale  borrows  on  his  former 
life  of  fraud,  and  current  life  as  fraud  detector,  to 
offer  practical,  albeit  general,  advice  for  avoiding 
fraud  schemes.  And  it's  always  entertaining.  For 
example,  when  he  says  if  you're  waiting  for  the 
paperless  society,  you  might  as  well  wait  for  “the 
paperless  toilet.” 

You  really  want  to  get  into 
your  CSO’s  head?  Here’s  a 
book  about  security  that  CSOs 
would  love  their  executive 
peers  to  read. 

IT  Security:  Risking  the  Corporation 

Linda  McCarthy  Prentice  Hall  PTR,  2003 
Though  this  book  was  written  by  an  employee  at 
software  giant  Symantec,  it  offers  a  vendor-neutral 
analysis  of  the  types  of  security  risks  faced  by  cor¬ 
porations  of  all  sizes.  It’s  full  of  bracing  real-world 
examples  of  security  done  badly  but  is  a  good  read 
as  it  avoids  using  scare  tactics  or  an  abundance 
of  confusing  acronyms. 

Where  do  you  send  your 
employees? 

The  World’s  Most  Dangerous  Places, 
5th  Edition 

Robert  Young  Felton  HarperResource,  2003 
For  global  corporations,  it’s  important  to  under¬ 
stand  the  level  of  danger  in  unstable  countries, 
particularly  if  you  have  employees  located  there. 
This  book  won’t  put  a  smile  on  your  face,  but  it 
does  give  an  accurate  depiction  of  the  threat 
landscape  around  the  world. 

IT  security  isn’t  as  bad  as  you 
think— it’s  worse. 

Secrets  and  Lies:  Digital  Security  in 
a  Networked  World 

Bruce  Schneier  John  Wiley  &  Sons,  2000 
Schneier  explains  what  everyone  in  business 
needs  to  know  about  security.  The  book  takes  a 
behind-the-scenes  look  at  the  structure  of  security 
systems,  exposing  vulnerabilities  and  poking  holes 
in  prevailing  wisdom,  all  with  a  sense  of  humor. 


Security  is  everywhere,  all 
the  time. 

Industrial  Security 

David  L.  Berger  Butterworth-Heinemann,  1979 

Accessible  overview  of  the  so-called  physical 
security  discipline.  A  reference  book  every  execu¬ 
tive  should  have. 

Ignorance  of  the  law  is  no 
excuse. 

Protective  Security  Law 

David  Arnold,  Bernard  Fa  rber  and  Fred  E. 
Inbau  Butterworth-Heinemann,  1996 
In  the  words  of  security  manager  Eduard  Telders: 
“Good  review  of  liability  and  the  law  as  it  applies 
both  to  companies  and  the  individuals  with  security 
responsibilities.  A  good  eye-opener  for  those  who 
have  not  spent  time  on  this  topic.  Helps  property 
owners  and  business  understand  their  rights, 
pitfalls  and  accepted  practice  in  today's  security 
environment.” 


Who  Your  CSO 
Calls  for  Help 

WHEN  JIM  MECSICS,  vice  president 
of  corporate  security  for  Equifax,  goes 
before  corporate  management,  he's  fully 
armed  with  facts,  figures,  research 
and  analysis  to  make  his  arguments 
compelling.  Here  are  some  of  the  sites 
that  he  finds  valuable  in  making  a  case. 

ASIS  International 

www.asisonline.org 

Centers  for  Disease  Control, 
Public  Health  Emergency 
Preparedness  &  Response 

www.bt.cdc.gov 

Department  of  Justice’s  Computer 
Crime  and  Intellectual  Property 
Section 

www.cybercrime.gov 

Federal  Bureau  of  Investigation 

www.fbi.gov 

Federal  Emergency  Management 
Agency 

www.fema.gov 

Homeland  Defense  Journal 

www.homelanddefensejournal.com 

The  International  Policy  Institute 
for  Counter-Terrorism 

www.ict.org.il 

National  Cyber  Security  Division, 
Department  of  Homeland  Security 

www.nipc.gov 

Overseas  Security  Advisory 
Council 

www.ds-osac.org 

The  Terrorism  Research  Center 

www.  terrorism,  com 


“It  doesn’t  matter 
how  good  the  documen¬ 
tation  is,  really.  It  just  has 
to  weigh  a  lot.  I  go  in  with 

three  good  metrics  and 
seven  pounds  of  paper 
underneath  it.” 

-ANONYMOUS  CISO  ON 
SELLING  SECURITY  TO  EXECUTIVES 


22  www.csoonline.com  Security  Handbook  2004 


PHOTOS  BY  ALBERTO  CAP0LIN0 


Advertising  Supplement 


RSA  Security  Presents 

Strong  Authentication 

Building  Trust  into  Identity  Management 


Organizations  around  the  globe  are  working  feverishly 
to  gain  a  business  advantage  over  their  competitors 
by  attracting  new  customers  and  retaining  current 
customers,  as  well  as  cutting  costs.  They  need  to 
work  just  as  hard  to  maintain  their  market  position  in  these  chal¬ 
lenging  times.  These  organizations  can  accomplish  all  of  this  by 
empowering  their  users — employees,  customers  and  partners 
alike — with  electronic  access  to  applications  and  processes  that 
have  traditionally  been  confined  to  manual  operations.  Such 
electronic  environments  are  now  governed  by  robust  identity 
management  strategies  that  rely  heavily  on  strong  authentication 
to  ensure  online  trust. 

Why  Focus  on 
Authentication? 

An  effective  identity  management  solu¬ 
tion  establishes  trust  in  an  organiza¬ 
tions  online  environment,  and  more 
specifically  in  identities.  The  corner¬ 
stone  of  this  trust  is  strong  authentica¬ 
tion.  Authentication — in  the  form  of 
tokens,  smart  cards,  digital  certificates, 
etc. — establishes  trust  by  proving  the 
identities  of  the  participants  involved  in 
a  transaction  beyond  a  shadow  of  a 
doubt.  Without  authentication,  after 
all,  how  does  an  organization  know 
who’s  at  the  other  end  of  a  transaction? 

Increasingly,  organizations  are  recog¬ 
nizing  and  leveraging  authentication  as 
the  foundation  for  other  critical  ser¬ 
vices  on  which  good  business  practices  are  built.  Based  on  trust 
established  through  the  authentication  of  the  identity  of  a  user, 
device,  application,  or  transaction,  for  example,  an  organization 
can  then  implement  additional  services  such  as: 

■  Web  Services  —  inter-application  transactions  that  operate 
behind  the  scenes  to  take  computing  to  new  levels  of  productiv¬ 
ity  for  individuals  and  organizations,  as  well  as  their  customers 
and  partners. 

■  Access  Management  —  based  on  business  policies  that 
define  the  relationships  between  authenticated  users  and  infor¬ 
mation,  an  organization  can  authorize  and  control  access  to 
resources,  applications  and  services. 

■  Accountability  —  the  ability  to  know  reliably  who  did  what, 
where  and  when  is  the  basis  for  complying  with  regulations  and 


business  policy  regarding  liability  and  assurance  for  transactions. 

What  Drives  the  Need  for  Authentication? 

There  are  many  factors  that  contribute  to  the  growing  need  for 
strong  authentication  within  an  identity  infrastructure.  The  top 
issues  can  be  grouped  into  three  high-level  categories. 

First,  there  is  no  argument  about  the  reality  or  impact  of  the 
trend  towards  process  automation  and  web  services  to  work  more 
efficiently  in  todays  challenging  business  environment.  In  addi¬ 
tion,  access  requirements  are  expanding  at  staggering  rates,  while 
organizations  make  information  available  to  an  ever-increasing 
number  of  users,  as  well  as  extend  that  access  beyond  the  enter¬ 
prise  network  to  include  customers  and 
business  partners.  The  need  for  reliable 
and  portable  authentication  credentials  is 
increasing,  simultaneously  with  an  expo¬ 
nential  increase  in  the  size  and  complexity 
of  our  networks. 

Second,  the  volume  of  sensitive  and 
high-value  information  accessed  by  this 
growing  population  of  users  continues  to 
rise.  And  where  there  is  value,  there  are 
people  who  will  try  to  obtain  it.  Reports 
and  statistics  abound  of  the  high  levels  of 
compromise  and  theft  of  information, 
and  there  is  a  steadily  growing  awareness 
of  the  need  for  stronger  information 
security. 

The  third  factor  that  contributes  to  the 
need  for  strong  authentication  technolo¬ 
gies  can  be  referred  to  as  “the  problem 
with  passwords.”  The  proliferation  of  passwords  has  become 
unmanageable  for  end-users  and  administrators  alike,  and  the 
authentication  method  once  naively  viewed  as  “free”  is  actually 
surprisingly  expensive  in  terms  of  ongoing  management  and 
support  costs.  And  when  organizations  consider  that  inherent 
weaknesses  in  passwords — which  make  them  easy  to  steal  or 
even  guess — the  challenge  is  dramatically  compounded. 

What’s  Holding  It  Back? 

The  market  issues  listed  above  are  compelling,  so  what  if  any¬ 
thing  is  holding  back  the  adoption  of  strong  authentication  tech¬ 
nologies  as  part  of  mainstream  identity  management  strategies? 

Cost  is  certainly  a  consideration — acquisition  costs,  deploy¬ 
ment  costs  and  the  perception  (albeit  not  necessarily  the  reality, 


Advertising  Supplement 


especially  when  compared  to  passwords)  of  additional  adminis¬ 
trative  burden.  Where  there  are  physical  devices  used  for  authen¬ 
tication  (smart  cards,  tokens,  biometrics  devices,  etc.),  some 
organizations  also  have  concerns  about  the  cost  or  inconvenience 
of  lost/forgotten/broken/stolen  authenticators. 

Deployability  is  sometimes  a  factor  e.g.,  the  slow  uptake  of 
installed  base  for  smart  card  readers;  the  challenge  of  imple¬ 
menting  solutions  that  require  software  to  be  installed  on  every 
end-user  system;  the  lack  of  interoperability  with  existing  sys¬ 
tems;  and  general  concerns  about  scalability  to  tens  of  thousands, 
hundreds  of  thousands  or  millions  of  users. 

Convenience  must  weigh  into  the  equation.  Any  security  mea¬ 
sure  that  is  rejected  by  the  user  is  doomed  to  fail.  Although  user 
acceptance  should  not  dictate  all  security  policies,  organizations 
must  consider  the  impact  that  authentication  methods  have  on 
users  and  their  productivity. 

Finally,  there  is  often  the  reality  of  short-term  focus  on  other 
business  objectives,  where  stronger  security  takes  a  back  seat  to 
other  priorities  such  as  time-to-market.  Business  justification  can 
sometimes  be  difficult,  especially  where  security  awareness  is 
lacking,  and  it  is  an  understatement  to  note  that  it  can  some¬ 
times  be  difficult  to  quantify  the  return  on  investment  for 
authentication  technologies. 

How  RSA  Security®  Can  Help — 

The  Authentication  Scorecard 

As  a  longtime  market  leader  in  strong  authentication  technology, 
RSA  Security  finds  that  its  customers  and  prospects  ask  three 
particular  questions  on  a  recurring  basis: 

■  Which  authentication  solution  should  I  use? 

■  What  is  the  business  value  from  my  authentication 
investment? 

■  What  criteria  should  I  use  to  select  an  authentication  vendor? 

RSA  Security  specifically  addresses  the  first  question,  by  pro¬ 
viding  a  consistent,  structured  framework  and  a  corresponding 
calculator— the  Authentication  Scorecard — that  will  help  orga¬ 
nizations  to  choose  the  most  appropriate  authentication  tech¬ 
nology  from  a  wide  selection  of  alternatives. 

Why  an  Authentication  Scorecard?  In  light  of  expanding 
access,  the  increasing  value  of  information  and  the  problem  with 
passwords  (not  to  mention  the  numerous  authentication  tech¬ 
nologies  already  available),  as  well  as  ongoing  technical  innova¬ 
tion,  companies  are  frequently  re-evaluating  their  authentication 
strategies.  But  with  so  many  authentication  alternatives  available, 
how  can  they  objectively  be  positioned? 

Vendors,  who  quite  naturally  emphasize  only  the  strongest 
aspects  of  their  particular  solutions,  tend  to  exacerbate  the  prob¬ 
lem  by  creating  (either  directly  or  indirectly)  “apples-and- 
oranges”  comparisons  between  various  authentication  technolo¬ 
gies.  For  example,  how  can  an  organization  objectively  compare 
the  multipurpose  value  proposition  of  a  “smart  badging”  solu¬ 
tion  (such  as  combining  photo  ID,  building  access,  net¬ 
work/application  access  and  stored  value  on  a  single  physical 


device)  with  the  low-cost,  zero-footprint,  zero-deployment  value 
proposition  of  a  one-time  passcode  delivered  in  real-time  as  a 
text  message? 

At  RSA  Security,  our  belief  is  that  there  will  be  no  one  silver 
bullet  for  all  authentication  challenges,  no  single  technology  or 
approach  that  will  optimally  address  all  scenarios,  no  universal 
solution  that  will  meet  all  requirements.  On  the  contrary,  there 
will  continue  to  be  a  rich  diversity  of  authentication  technolo¬ 
gies — from  traditional  time-synchronous  tokens,  to  digital  cer¬ 
tificates,  to  smart  cards  and  USB  tokens,  to  virtual  credentials 
and  virtual  containers  . . .  even  passwords. 

What  is  needed,  therefore,  is  a  consistent,  structured  frame¬ 
work  that  will  help  organizations  to  understand,  evaluate  and 
select  the  most  appropriate  authentication  technology  from  a 
wide  selection  of  alternatives.  That’s  where  the  Authentication 
Scorecard  lends  a  helping  hand — making  an  otherwise  arduous 
process  virtually  painless  and  always  personal. 


Strong  Authentication  Options 

Technology  advancements  have  resulted  in  a  myriad 
of  strong  authentication  options  from  which  to  choose. 
Each  solution  has  pros  and  cons,  which  must  be  eval¬ 
uated  against  business  needs.  Without  guidance,  this 
can  certainly  be  an  arduous  process. 

■  Two-factor  authentication  tokens  offer  a  range  of 
easy-to-use  options,  from  hardware  to  software,  that 
help  to  create  a  strong  barrier  against  unauthorized 
access  by  requiring  physical  possession  of  a  device. 
Device  deployment  can  be  a  barrier  in  this  case. 

■  One-time  use  access  codes  leverage  mobile 
devices  to  enable  enterprises  to  more  securely  extend 
popular  Web  applications,  while  reducing  the  risk  of 
fraud.  Such  technology  is  highly  portable,  but  requires 
an  SMS  infrastructure. 

■  Smart  cards  combine  the  functionality  of  physical 
and  network  access  into  a  single  integrated  device  to 
ensure  cost-effective  management  of  access  to  cor¬ 
porate  resources.  The  user  benefits  from  single  sign- 
on  to  both  physical  and  electronic  resources,  but  these 
resources  are  often  controlled  by  different  depart¬ 
ments  within  an  organization. 

■  Digital  certificates  and  signing  offer  highly 
portable  authentication  functionality  for  legally  binding 
electronic  communications  and  transactions.  This 
solution  is  often  transparent  to  the  user;  however,  the 
infrastructure  behind  it  is  often  viewed  as  a  challenge. 


Advertising  Supplement 


Total  Cost  of 
Ownership 

Acquisition  Cost 

•  What  are  the  initial  acquisition  costs? 

•  Include  all  additional  hardware,  software,  servers,  readers,  sendees,  etc.  associated 
with  acquiring  the  authentication  solution. 

Deployment  Cost 

•  What  are  the  costs  to  deploy  the  authentication  solution? 

•  This  includes  the  distribution  of  any  necessary  hardware  or  software;  ease  of 
installation;  ease  of  setup  and  configuration;  training  of  end-users,  etc. 

Operating  Cost 

•  What  are  the  ongoing  operating  costs? 

•  This  may  include  costs  for  replacement  (e.g.,  expired/lost/stolen/broken)  authentica¬ 
tion  devices;  ongoing  management;  upgrades;  vendor  support;  help  desk  support;  etc. 

Convenience/ 
Ease  of  Use 

•  What  kinds  of  end-user  population(s)  will  be  supported? 

•  How  easy  is  it  for  end-users  to  learn  how  to  use  the  authentication  method? 

•  How  convenient  is  it  for  end-users  to  use  the  authentication  method,  day  in  and  day  out? 

Strategic  Fit 
(users) 

Portability 

•  How  portable  is  the  authentication  method? 

•  Can  it  reliably  be  used  to  gain  access  from  multiple  locations  (office,  home,  airport, 
hotel,  kiosk,  etc.)? 

Multi-Purpose 

•  Can  the  authentication  method  be  used  for  more  than  one  purpose?  e.g.,  network 
access,  physical  access,  application  access,  photo  ID  badge,  electronic  signature, 
stored  value,  etc. 

•  Does  the  authentication  method  leverage  a  device  that  is  itself  used  for  multiple 
purposes?  e.g.,  PC,  PDA,  phone,  etc. 

Strategic  Fit 
(corporate/ 
system) 

Relative  Security 

•  How  strong  is  the  authentication? 

•  How  secure  is  the  implementation? 

•  Is  it  adequate  for  the  information  being  protected? 

•  Does  it  meet  regulatory  requirements  (if  any)  for  the  protection  of  information? 

Interoperability/ 
Back-end  Integration 

•  Does  the  authentication  solution  work  natively  with  multiple  products? 

•  Does  it  work  only  with  the  installation  of  additional  software? 

•  How  easy  is  it  to  integrate  with  back-end  resources  or  applications?  What  resources 
and  applications  need  to  be  supported? 

Robustness/Scale 

•  Does  the  authentication  solution  scale  to  the  degree  required  now? 

•  Three  years  from  now? 

' 

Future  Flexibility 

•  What  future  options  may  be  available  from  the  selection  of  this  authentication 
solution  (whether  you  currently  intend  to  use  them  or  not)? 

•  What  future  options  might  be  of  interest? 

The  Authentication  Scorecard — Three  Major 
Categories,  Ten  Basic  Attributes 

The  Authentication  Scorecard  reflects  not  only  RSA  Security’s 
years  of  experience  and  market  leadership  in  strong  authentica¬ 
tion  technology,  but  also  the  additional  structure  and  detail 
required  to  make  a  fair  comparison  of  various  authentication 
technologies. 

In  the  Authentication  Scorecard  framework,  there  are  three 
high-level  categories — Total  Cost  of  Ownership,  Strategic  Fit 
(users),  and  Strategic  Fit  (corporate/system) — each  of  which  can 
be  broken  down  slightly  further  for  a  total  of  ten  basic  attributes. 
Any  authentication  technology  can  be  compared — in  a  consis¬ 
tent,  “apples-to-apples”  manner — using  this  simple  framework. 
The  Authentication  Scorecard  framework  is  outlined  in  a 
detailed  white  paper  which  features  a  series  of  basic  questions 
that  can  be  used  to  compare  and  contrast  various  authentication 
alternatives.  Taking  a  personalized  approach,  an  organization’s 
business  requirements  are  easily  factored  into  the  evaluation, 
resulting  in  a  technology  comparison  that  reflects  an  organiza¬ 
tion’s  unique  needs. 

Conclusion 

As  an  increasing  number  of  applications  are  exposed  to  more  and 


more  users,  organizations  need  to  consider  their  identity  man¬ 
agement  requirements  as  they  apply  to  their  unique  business 
objectives.  They  need  to  provide  strong  authentication  and  man¬ 
age  multiple  authentication  methods  in  order  to  ensure  the  trust 
in  identity  they  need  to  empower  users.  RSA  Security  offers 
enterprises  the  widest  range  of  authentication  options — from 
tokens  and  smart  cards  to  digital  certificates — and  the  know¬ 
how  to  help  you  select  the  right  solution  for  your  unique  busi¬ 
ness  requirements. 


need  help? 

For  a  copy  of  RSA  Security’s  Authentication 
Scorecard  white  paper— and  to  learn  how 
to  calculate  your  own  score— visit 
http:  / /www.rsasecurity.com/go/cso/ 


SECURITY 


SECURITY  SALARIES  ARE  still  shaking  out  as 
the  executive-level  security  role  comes  into  its 
own.  That’s  because  the  story  of  the  typical 
CSO  is  not  a  simple  one.  Just  about  every 
security  officer  out  there  is  a  variation  on  a 
theme.  Likewise,  there's  no  clear  consensus 
on  exactly  what  a  CSO’s  worth  is— not  among 
recruiters  or  even  CSOs  themselves.  CSO 
research  indicates  an  average  salary  of  about 
$125,000,  but  the  gap  is  wide.  “Large  compa¬ 
nies  hiring  security  executives  can  pay  up  to 
$500,000,”  says  Marc  Lewis,  president  for  the 
North  American  division  of  Morgan  Howard,  a 
global  technology  executive  recruiter. 

As  part  of  our  annual  compensation  survey 
of  more  than  400  security  executives,  we 
asked  CSOs  to  give  us  an  idea  of  how  much 
they  make,  what  their  jobs  entail,  what  their 
professional  titles  are,  how  long  they've  been 
at  their  jobs  and  in  what  industries  they  work. 

The  results  were  not  what  we  were  expect¬ 
ing,  Our  respondents  indicated  that  having  a 
C-level  title  doesn’t  necessarily  translate  to  a 
higher  salary.  In  fact,  most  of  the  respondents 
at  that  level  are  making  about  the  same  in 
terms  of  total  compensation,  regardless  of 
title— in  other  words,  security  managers  earn 
basically  what  CSOs  do.  Compensated  most 
highly  are  vice  presidents  or  directors,  but 
only  8  percent  of  them  make  more  than 
$300,000  per  year. 

We  may  have  been  caught  off  guard,  but 
the  lack  of  a  connection  between  title  and 
compensation  was  no  surprise  to  CSOs  we 
talked  to.  According  to  Marcia  LaManna,  cor¬ 
porate  director  of  systems  security  for  Life¬ 
time  Healthcare,  title  isn’t  the  point.  “I  don’t 
care  much  about  title,”  LaManna  says.  “I'm 
the  last  word  on  security  at  my  company.  If  I 
were  at  another  company,  I’d  probably  have 
the  CISO  or  CSO  title.  But  I  don’t  think  the  C 
in  the  title  matters  in  terms  of  salary.” 

A  security  manager  at  one  company  can  be 
doing  the  same  job  as  an  executive  vice  presi¬ 
dent  or  a  CSO  at  another.  That’s  probably 
why,  at  least  for  now,  compensation  levels  are 
predicated  more  on  the  scope  of  the  CSO’s  job 
responsibilities  than  on  title. 

In  general,  though,  companies  have  been 
slow  to  define  that  scope,  which  means  they 
don’t  know  how  to  properly  compensate  the 
people  they  hire. 

Clearly,  industries  with  a  high  risk  level 


What 


/V>\’  s 

www.csoonline.com  Security  Handbook  2004 


ILLUSTRATION  BY  STEPHEN  WEBSTER 


SilFlil  Y  IN  NUmPiEES 

When  it  comes  to  CSO 
compensation,  industry 
makes  a  big  difference... 


Health  care 

$110,697 


Manufacturing 

$110,000 

Government 

$78,290 

Wholesale/Retail  trade 
$72,600 


...but  title  doesn’t 


CSO,  CRO,  CISO 
$123,750 


VP.  Director 
$112,194 

Manager 

$109,227 

SOURCE:  “THE  STATE  OF  THE  CSO"  SURVEY  CON¬ 
DUCTED  SPRING  2003.  113  RESPONDENTS. 


tend  to  pay  higher  salaries  to  their  security 
executives,  says  LaManna.  Salaries  in  health 
care,  for  example,  are  starting  to  reflect  the 
increase  in  security  responsibilities  caused  by 
demands  for  data  privacy  in  the  Health  Insur¬ 
ance  Portability  and  Accountability  Act,  she 
says.  As  expected,  the  financial  sector  pays 
more  than  most— but  high-tech  companies 
showed  up  at  the  top  of  the  scale  in  our 
research.  “The  computer  industry  pays  more 
because,  until  recently,  it  was  the  hottest  thing 
around,"  says  Rob  Graven,  a  managing  direc¬ 
tor  specializing  in  technology  and  security 
services  for  Boyden  Global  Executive  Search. 
“Computer  and  software  companies  have  had 
the  biggest  IT  departments  with  the  largest 
budgets,  and  even  though  the  boom  is  over, 
the  salaries  have  held.” 

CSO  salaries  probably  won’t  experience  any 
major  ups  or  downs  for  a  while,  says  Graven, 
who  sees  greater  demand  for  qualified  secu¬ 
rity  personnel  developing.  "The  CSO  role 
needs  to  gain  greater  definition  and  become 
more  of  a  known  quantity  to  corporations  and 
CSOs  alike,"  he  says.  -Derek  Slater 

PHOTO  BY  JENNY  THOMAS 


VIEW  FROM  THE  CIO  Contra  Costa 
County,  the  sixth-largest  county  in  Califor¬ 
nia,  hired  its  CISO  Kevin  Dickey  hack  in  1996 
to  address  glaring  weaknesses  in  its  informa¬ 
tion  security  posture.  Dickey  previously  was  in 
charge  of  security  for  the  state’s  lottery  sys¬ 
tem.  At  Contra  Costa,  he  reports  to  CIO  Steve 
Steinbrecher,  who  says  Dickey  has  driven  Con¬ 
tra  Costa  toward  dramatic  improvement  in 
its  security  policies,  architecture  and  compli¬ 
ance  but  had  to  sharpen  his  marketing  and 
soft  skills  to  get  the  job  done. 

When  I  got  here  in  May  1995,  security  was 
high  on  my  list.  We  brought  in  Stanford 
Research  Institute  to  do  a  security  review  of 
county  security  practices  and  infrastructure. 
When  our  CEO  saw  the  report,  he  was  not 
just  stunned.  He  went  nuclear. 

He  said  this  is  just  unacceptable.  He  and  I 
presented  the  report  to  all  the  county  depart¬ 
ment  heads— it  would  be  the  equivalent  of  all 
the  other  O’s  in  a  private-sector  corporation— 
who  said,  “We  don’t  have  the  budgets  to  pay 
for  this.”  But  the  CEO  was 
determined  to  fix  the  security 
issues  and  charged  me  with 
developing  a  job  description 
and  bringing  in  someone  to 
build  the  security  strategy,  poli¬ 
cies  and  procedures. 

Now,  I  believe  that  the  CSO 
should  absolutely  report  to  the 
CEO.  In  our  case,  county  gov¬ 
ernment  is  like  a  huge,  diversi¬ 
fied,  multinational  corporation 
in  which  all  the  business  units 
have  different  products  and 
don’t  have  to  work  together.  The 
CSO— in  order  to  build  security 
into  a  company’s  business  strat¬ 
egy  and  build  up  the  defense 
perimeters— has  to  have  the 
same  level  of  visibility  that  the 
CIO  has.  I  made  that  argument 
to  my  boss,  who  said,  “I  already 
manage  40  business  unit  heads, 
so  I  need  you  to  handle  it.”  So 
against  my  better  judgment,  our 
CSO  reports  to  me. 

Honestly,  there  wasn’t  a 
whole  lot  of  acceptance  of  what 
Kevin  was  trying  to  do  for  the 


first  three  or  four  years.  People  are  really 
resistant  when  it  comes  to  security  issues.  In 
America,  we  have  a  real  problem  with  people 
monitoring  our  phone  calls  or  e-mail  traffic.  It 
takes  a  long  time  to  teach  people— this  isn’t  a 
“personal”  computer;  it’s  a  corporate  asset 
that  belongs  to  the  taxpayers.  It’s  hard  to  get 
that  across,  especially  to  lower-level  workers. 
The  CEO  and  I  got  a  lot  of  pushback  from  the 
departments. 

Then  in  2000  an  extremely  uncomplimen¬ 
tary  e-mail  message  about  a  county  employee 
was  sent  to  every  person  on  the  county’s 
e-mail  list.  That  got  people’s  attention.  That 
and  9/11  were  two  big  turning  points. 

But  we’re  not  like  the  private  sector  in  that 
the  CEO  can  come  down  with  an  edict  saying, 
‘You  guys  either  do  it  this  way  or  you  don’t  get 
any  dollars.”  In  county  government,  we  have 
to  do  a  lot  more  marketing  and  a  lot  more 
selling  to  get  people  to  go  along  with  the  pro¬ 
gram.  Kevin’s  right  down  the  hall  from  me, 
Continued  on  next  page 


CIO  OF  CONTRA  COSTA  COUNTY  (RETIRED),  CALIFORNIA 


and  we  talk  almost  every  day  in  person.  Kevin 
has  a  staff  of  three  other  people.  They  set  pol¬ 
icy  pretty'  much  on  their  own,  unless  there’s 
some  kind  of  a  political  issue. 

One  thing  I  focus  on  with  a  new  senior 
manager  is  getting  him  through  charm  school. 
Many  security'  guys  have  a  tendency  to  look  at 
things  like  cops  do.  That  was  probably  Kevin’s 
biggest  educational  challenge  coming  in.  The 
state  of  California  [where  he  previously 
worked]  is  this  huge  bureaucracy,  and  it  has  a 
desk  manual  procedure  for  everything.  County 
government  is  a  lot  more  loosey-goosey.  It 
requires  more  sensitivity,  better  marketing 
skills.  My  organization  works  very  hard  on 
those  charm  school  skills,  and  Kevin  probably 
spent  his  first  two  years  learning  that,  getting 
smacked  around  by  the  department  heads. 

You  have  to  go  in  with  a  solution,  not  just 
tell  people  no.  For  example,  we  had  an  issue 
with  AOL  Instant  Messenger.  Our  corporate 
counsel  stood  up  and  said,  “I  want  to  give  a  tes¬ 
timonial  for  Kevin  and  Steve.  I  had  this  prob¬ 
lem  in  my  department,  and  I  immediately 
called  an  all-hands  meeting  and  said,  ‘If  I  find 
one  module  of  IM  on  a  desktop  in  this  depart¬ 
ment,  heads  will  roll.’”  They  turned  that  whole 
issue  over  to  Kevin  and  me  and  our  wide  area 
network  (WAN)  group  and  said,  “Please  find  a 
solution  for  us.”  And  we’re  going  to  do  that 
using  active  directory  services.  Again,  you  just 
can’t  go  to  people  and  say,  Don’t.  You  can  say, 
“This  is  unsafe,  you  could  get  yourself  in  real 
trouble  here.  However,  I  do  have  a  solution, 
and  you’re  going  to  have  to  bear  with  us  for  60 
days  while  we  roll  it  out.”  And  truthfully,  that 
was  an  area  where  Kevin  had  to  learn. 

But  we  went  from  having  a  very  fragmented, 
uncoordinated  network  and  corporate  mes¬ 
saging  infrastructure  to  having  an  extremely 
robust,  well-protected,  five-nines-reliable 
WAN,  with  really  good  corporate  messaging 
and  Internet  services.  That’s  basically  a  result 
of  Kevin’s  guidance  together  with  some  really 
talented  telecommunications  and  system  sup¬ 
port  people.  Aside  from  one  department  that 
runs  Microsoft  products  by  state  edict,  we’re 
never  down  and  we  don’t  have  virus  problems, 
knock  on  wood.  And  my  peer  group,  they 
respond  to  that. 

Steve  Steinbrecher,  who  was  CIO  of  Contra  Costa  County 
since  1995,  has  worked  in  IT  since  1972. 


v 

vjggfeiU 

-  ■ 

Ypife  1 

.. .  JWHlpiTrMl  •• 

M 

■-I  jw 

' 


Nothing  to  Fear 


METRICS  Your  CSO  knew  it  had  to  happen 
sooner  or  later:  Security’s  mystique  would  fade  and 
other  executives  would  question  its  benchmarking 
techniques. 

And  your  CSO’s  tactics  for  getting  his  own  way- 
by  using  fear,  uncertainty  and  doubt— is  no  longer 
going  to  work,  either.  And  it’s  about  time  (see  “6 
Ways  to  Fend  Off  FUD,”  next  page). 

Executives  are  weary  of  scare  tactics  and  gloomy 
games  of  “what  if  the  sky  falls”  from  their  CSOs. 
Instead,  they’re  now  demanding  from  the  CSO  what 
they’ve  expected  from  every  other  department  all 
along— metrics.  And  if  the  knee-jerk  reaction  to  this 
perfectly  reasonable  request  is  “But  that's  impossi¬ 
ble  in  security,”  then  stop  your  CSO  right  there. 

Tell  him  that  a  very  reliable  source  (OK,  us)  told 
you  that’s  simply  not  true.  Because  it  isn’t.  Many 
metrics  that  justify  the  cost  of  security  are  available 
now;  still  more  are  in  development. 

The  mystical  world  of  security  is  finally  getting 
measured  for  a  couple  of  reasons.  First,  vendors— 
desperate  for  business  from  increasingly  careful 
potential  customers— had  to  create  metrics  to  get 
anyone  to  even  consider  their  products. 

Second,  some  security  experts  and  academic 
and  private  researchers  simply  thought  the  time 
had  come.  They  decided  to  calculate  this  stuff  as  if  it 
were  any  other  business  investment.  Which  it  is. 

Finally,  the  security  world  sensed  that  executives 
were  getting  wise  to  their  scare  tactics.  After  all, 


that  works  only  if  the  boss  believes  there  really  is  a 
wolf  when  the  CSO  cries.  It’s  no  longer  tenable  for  a 
security  executive  to  plead  that  hobgoblins  such  as 
return  on  security  investment  (ROSI),  cost-benefit 
studies  and  risk  analysis  don’t  apply  to  the  realm  of 
security.  They  do. 

So  go  ahead.  Demand  metrics  from  your  security 
team.  To  help,  here  are  just  a  few  metrics  we  can 
rattle  off: 

■  In  a  special  report  on  ROSI,  security  consultancy 
@Stake  calculated  a  21  percent  ROI  when  developers 
build  security  into  products  at  the  earliest  stages  of 
software  development  (to  view  the  report,  go  to 
www.atsfake.com).  Translation:  Spending  up-front 
to  secure  software  pays  off  big. 

■  Improved  software  testing  can  shed  30  cents  off 
every  dollar  lost  to  buggy  software,  according  to  a 
landmark  National  Institute  of  Standards  and  Tech¬ 
nology  (NIST)  study  (www.nist.gov).  Translation: 
Investing  in  quality  assurance  up-front  can  save  big 
money  later. 

■  A  software  bug  that  costs  $1,000  to  fix  in  the 
earliest  phase  of  development  will  cost  $30,000  to 
fix  post-deployment,  according  to  the  NIST  study. 
Translation:  Investing  up-front  in  bug  fixes  can  save 
tons  of  cash. 

Incidentally,  in  every  case,  metrics  have  proved 
that  investing  up-front— typically  the  easiest  time  to 
ignore  or  put  off  security  spending— pays  off. 

-Scott  Berinato 


28  www.csoonline.com  Security  Handbook  2004 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


6  Ways  to  Fend  Off  FUD 


MANAGING  FEAR 
When  all  else  fails  to  secure 
funding  for  security— and 
much  of  the  time,  all  else 
does  fail— it’s  not  uncom¬ 
mon  for  the  desperate  to 
resort  to  spreading  fear, 
uncertainty  and  doubt  (FUD) 
about  security  threats  in 
order  to  get  your  attention, 
and  your  budget  dollars. 

It  is  not  done  blatantly 
nor  proudly,  but  it  is  done. 
One  CSO  admitted  to  walk¬ 
ing  into  the  boss’s  office 
and  stealing  a  file,  then 
locking  the  computer  down 
with  a  password-protected 
screen  saver  so  that  the 
boss  couldn’t  access  his 
own  system.  The  goal  was 
to  scare  the  boss  into 
understanding  the  security 
risks  he  posed,  and,  to  an 
extent,  it  worked. 

In  the  long  run,  though, 
FUD  does  more  damage 
than  good.  It  creates  a  cry- 
wolf  atmosphere  and  sets 
up  a  dysfunctional  rela¬ 
tionship  between  the  secu¬ 
rity  team  and  the  other 
executives,  who  will  grow 
to  view  the  CSO  suspi¬ 
ciously  at  best,  and  at 
worst,  dismissively. 

So,  by  all  means,  dis¬ 
suade  your  CSO  from 
FUD-ing  you  with  the  fol¬ 
lowing  few  steps  to  restore 
some  rationality  to  the 
relationship. 

1  Force  your  CSO  to 

stick  to  the  facts  by 
having  him  condense 


information  into  a  set  of 
essential  bulleted  items.  It’s 
a  FUD-proof  format  that 
communicates  the  basics  of 
a  situation  and  empowers 
you  to  make  clearheaded 
decisions  based  on  the  real 
facts  and  risks. 

Forge  a  strong  rela¬ 
tionship  with  your 
security  executive 
and  make  communicating 
about  security  a  priority 
within  the  company.  CSOs 
say  that  FUD  often  results 
when  security  leaders  lack 
executive  sponsorship  and 
employee  interest. 

3  Create  a  relation¬ 
ship  of  mutual  edu¬ 
cation.  Encourage 
your  CSO  to  explain  secu¬ 
rity  investments  and  their 
success  or  failure  in  a  non- 
confrontational  manner. 

His  experience  can  inform 
your  expectations  for  secu¬ 
rity.  In  return,  share  your 
own  perspective  and  expe¬ 
rience  to  ensure  that  your 
CSO  grasps  the  business 
ramifications  of  security 
projects. 

“I  worked  at  a  place 

where  you  dropped 
the  word  hacker, 
and  the  pocketbooks 
opened  up,"  says  Adam 
Hansen,  head  of  security  at 
law  firm  Sonnenschein. 
Capitulating  under  the 
onslaught  of  FUD,  even 
once,  is  like  feeding  your 


basset  scraps  from  the 
table.  You've  created  a  beg¬ 
gar  for  life.  Keep  all  security 
discussions,  no  matter  how 
dire  the  situation,  focused 
on  the  bare  facts,  the  busi¬ 
ness  risks  and  the  ROI. 

Don’t  be  part  of 

the  problem.  “In  a 
tight  economy,  CSOs 
will  be  more  likely  to  have 
success  with  the  FUD 
approach,”  says  Pat 
Schuler,  a  Minneapolis- 
based  management  coach 
and  consultant.  “Senior 
management  is  often  better 
able  to  envision  dire  results 
than  positive  benefits." 
Business  executives  need  to 
steel  themselves  to  security 
problems  and  calmly  evalu¬ 
ate  their  impact.  Your  com¬ 
posure  will  put  the  damper 
on  any  plans  the  security 
team  might  have  to  shake 
you  up  with  a  dose  of  FUD. 

Develop  an  enthusi¬ 
asm  for  numbers. 
CSOs  who  keep 
good  metrics  are  less  likely 
to  resort  to  FUD— instead 
they  can  let  the  numbers  do 
the  talking.  Make  sure  your 
CSO  understands  that  he 
must  walk  into  your  office 
with  reproducible  informa¬ 
tion  and  validated  data  to 
support  his  point  of  view. 

This  point  is  so  important,  in 
fact,  that  we’ve  expounded 
on  it  in  "Nothing  to  Fear"  on 
Page  28. 

-Daintry  Duffy 


Stop  the  Spam 

SECURITY  SOFTWARE  Spam  is  fast 
becoming  a  leading  issue  for  many  IT  depart¬ 
ments.  Spam  annoys  employees,  saps  produc¬ 
tivity,  and  can  (in  the  case  of  pornographic 
spam)  even  contribute  to  a  “hostile”  work 
environment.  What’s  more,  since  spam  is 
increasingly  used  by  identity  thieves,  hackers 
and  others  as  a  way  of  spreading  hostile  soft¬ 
ware,  spam  can  represent  a  serious  security 
risk  as  well. 

Spam  has  made  such  a  huge  impact  on  the 
corporate  world  that  there  are  now  literally 
dozens  of  different  solutions  to  the  problem- 
some  free,  some  quite  costly.  The  most  effec¬ 
tive  systems  implement  a  so-called  white  list 
of  people  who  are  allowed  to  send  e-mail  to 
your  organization’s  users.  People  who  aren’t 
on  the  white  list  get  sent  a  challenge  with 
some  test  that  they  need  to  pass  in  order  to 
prove  they  are  human,  and  not  some  spam¬ 
sending  robot.  But  while  effective,  these  sys¬ 
tems  create  massive  headaches  for  mailing 
list  operators,  e-commerce  sites  and  others 
that  legitimately  send  out  e-mail  to  large 
numbers  of  individuals. 

Another  approach  to  stopping  spam  is  to 
use  a  program  that  analyzes  each  incoming 
e-mail  message  for  the  telltale  signs  of 
spam.  Some  of  these  systems  use  keyword 
analysis;  others  use  complex  statistical 
models.  SpamAssassin,  an  open-source 
spam  detection  filter,  employs  more  than 
1,700  different  tests. 

Still  a  third  approach  is  to  use  the  elec¬ 
tronic  blacklists  of  "known  spammers.”  While 
reasonably  effective,  these  systems  effectively 
give  a  third  party  control  over  which  e-mail 
message  you  will  accept  and  which  you’ll 
reject.  That  can  cause  serious  problems  when 
you  want  to  receive  a  mail  message  from  an 
ISP  that’s  been  labeled  as  harboring  spam¬ 
mers  by  the  organization  maintaining  the 
blacklist. 

Like  antivirus  programs,  spam  filters  can  be 
run  on  your  mail  server  or  at  the  client.  In  fact, 
antivirus  and  antispam  applications  are  so 
similar  from  a  technological  point  of  view  that 
most  antivirus  systems  will  probably  incorpo¬ 
rate  antispam  capabilities  within  the  next  six 
to  12  months.  -Simson  Garfinkel 


Security  Handbook  2004  www.csoonline.com  29 


NOO^ 


SECURITY 


Paul  Revere,  Security  Consultant 

COMMUNICATING  THREATS  Alerting  employees  to  potential 
security  situations  can  be  a  tricky  business.  When  management  warns  too 
often  and  threats  don’t  materialize,  security  can  become  an  object  of  employee 
ridicule.  If  warnings  are  poorly  communicated  and  employees  aren’t  given 
concrete  action  items,  they  may  suspect  that  the  company  is  not  doing  all  it 
could  to  protect  them. 

In  a  recent  treatise  on  the  psychology  of  terrorist  alarms,  Philip  G.  Zim- 
bardo,  a  professor  of  psychology  at  Stanford  University,  outlines  what  he  calls 
the  “Paul  Revere  paradigm  for  successful  dissemination  of  public  alarms.”  He 
bases  his  paradigm  on  the  theory  that  Revere's  famous  midnight  ride  to  alert 
the  colonials  of  the  British  approach  was  successful  for  four  reasons:  Revere 
was  known  to  be  a  credible  communicator,  his  alarm  was  focused  on  a  specific 
event,  it  was  designed  to  spur  citizens  to  act,  and  it  called  for  a  concrete  set  of 
actions  in  response.  Zimbardo  adds  that  contemporary  psychological  research 
has  supported  this  paradigm  by  finding  that  such  alarms  should  arouse  only  a 
moderate  level  of  motivation.  “Too  low  doesn’t  energize  action,  and  too  high 
creates  emotional  overload  and  competing,  distracting  behaviors,”  he  says. 

If  you  compare  Zimbardo’s  paradigm  with  the  general  public's  reaction  to 
escalations  in  the  national  color-coded  threat  level,  it’s  clear  why  so  much  con¬ 
fusion  has  been  generated.  Zimbardo  notes  that  after  an  alarm  has  been  issued, 
it's  essential  to  debrief  people  so  that  any  misinformation  can  be  corrected  and 
to  reinforce  in  people  the  value  of  the  efforts  they’ve  made.  That  is  particularly 
important  when  a  threat  doesn't  materialize.  “Some  reputable  authority  must 
provide  an  explanation  of  why,  and  then  also  lower  or  remove  the  threat  alert,” 
he  says.  -Daintry  Duffy 

The  CSO  Guild 

A  GUIDE  TO  WHO’S  WHO  IN  THE  WORLD  OF  SECURITY  ORGANIZATIONS 

Well-connected  security  executives  are  good  to  have.  Fortunately,  they  have  access 
to  a  network  of  organizations  in  which  to  share  best  practices,  learn  about  the  latest 
threats  and  vulnerability  reports,  and  swap  tricks  of  the  trade  with  their  colleagues. 
Since  each  organization  serves  a  different  purpose,  your  CSO  is  likely  to  belong  to 
several.  And  that’s  a  good  thing.  A  networked  CSO  is  more  effective  at  protecting  your 
company  than  an  isolated  CSO  would  be.  Here's  the  lowdown  on  some  of  the  most 
well-known  security  organizations. 


Psy-curity  101 

A  SUCCESSFUL  SECURITY  PROGRAM  IS  ONE  THAT 
TAKES  INTO  ACCOUNT  THE  SOFTER  SIDE  OF  THINGS 

Rest  easy  now.  Your  CSO  has  installed  closed-circuit  cameras  in  the 
workplace  and  metal  detectors  in  the  office  lobby.  The  intrusion- 
detection  system  is  operational.  Everyone  and  everything  is  safe  and 
secure.  So  why  are  your  employees  grumbling  about  corporate  mistrust 
and  their  elevated  level  of  stress? 

The  answer  lies  in  the  psychology  of  security.  When  setting  up  a 
security  program,  an  organization's  executives  must  first  consider 
what  goes  on  in  the  minds  of  its  employees.  After  all,  80  percent  of 
security  is  psychology-driven,  says  Rich  Maurer,  associate  managing 
director  of  the  security  services  group  for  Kroll. 

Even  when  the  warnings  seem  reasonable  enough,  rationality  often 
flies  out  the  window— security  in  all  its  visual  manifestations  reminds 
us  just  how  vulnerable  we  really  are.  “What  to  a  CSO  is  an  impersonal 
protective  measure,  to  most  employees  represents  an  emotional  mes¬ 
sage,”  says  Ken  Siegel,  a  management  psychologist  and  president  of  the 
Impact  Group.  “There’s  no  such  thing  as  an  antiseptic  intervention.” 

To  understand  how  employees  feel  about  security,  one  must  recog¬ 
nize  that  their  enthusiasm  for  such  measures  will  wax  and  wane  dras¬ 
tically  over  time.  During  periods  of  increased  threat,  the  natural  human 
reaction  is  to  say,  Til  do  anything  you  want;  just  keep  me  safe.”  But 
people  can’t  sustain  that  anxiety  level  indefinitely.  As  the  threat  dimin¬ 
ishes  or  people  become  accustomed  to  the  new  level  of  risk,  they  start 
to  question  whether  security  really  makes  a  difference,  says  Dr.  Robin 
Dea,  chair  of  the  chiefs  of  psychiatry  at  Kaiser  Permanente. 

The  challenge  for  an  organization  is  to  achieve  a  balance  between 
visible  and  invisible  security.  On  one  hand,  security  must  be  obvious 
in  order  to  deter  the  criminal  element,  but  sometimes  such  visibility 
makes  employees  only  more  fearful  and  uneasy.  “There’s  always  got  to 
be  a  balance,”  says  Phil  Banks,  a  former  Canadian  Mountie  and  cur¬ 
rent  head  of  Deloitte  &  Touche’s  security  management  group.  “Some 
see  the  need  to  present  an  ID  card  as  a  measure  of  safety;  others  see 
it  as  just  another  manifestation  of  Big  Brother.”  -D.D. 


International  Security 
Management  Association 
(ISMA) 

MEMBERSHIP:  More  than  300  security 
executives  from  Fortune  500  companies 
with  assets  or  annual  sales  of  more  than 
$500  million. 

MISSION:  An  international  security  forum 
from  every  security  discipline  under  the  sun 
that  shares  information  and  best  practices. 
This  is  where  CSOs  go  to  get  the  inside 
scoop  on  corporate  safety  in  high-risk 
countries. 


American  Society  for 
Industrial  Security  (ASIS) 
MEMBERSHIP:  Its  33,000  members  hail 
from  all  levels  of  security  practice  and  meet 
frequently  for  chapter  meetings  and 
conventions. 

MISSION:  Established  in  1955,  ASIS  is 
dedicated  to  increasing  the  effectiveness 
and  productivity  of  security  practices  by 
gathering  and  disseminating  knowledge 
through  educational  programs  and 
materials  that  address  all  types  of  security 
concerns. 


Information  Sharing  and 
Analysis  Centers  (ISACs) 
MEMBERSHIP:  Members  are  divided  into 
specific  industry  sectors.  Members  must 
sign  a  nondisclosure  agreement  as  part  of 
the  application  process. 

MISSION:  The  ISAC  movement  is  all  about 
securing  economic  sectors  considered  part 
of  the  country’s  critical  infrastructure,  such 
as  financial  services,  electric  power,  oil,  gas, 
telecommunications  and  transportation. 


InfraGard 

MEMBERSHIP:  Membership  is  available  on 
case-by-case  basis  in  regular  and  secure 
classifications.  Regular  members  are 
approved  locally;  secure  members  must  be 
approved  by  the  FBI  and  are  required  to  sign 
an  agreement  with  the  FBI  to  share  sensitive 
information. 

MISSION:  To  promote  information-sharing 
between  the  FBI  and  businesses,  academic 
institutions,  and  state  and  local  law 
enforcement  agencies. 


30  www.csoonline.com  Security  Handbook  2004 


Stereotypes?  Fuhgeddaboirtit. 


nearby.  Littlejohn,  in  addition  to  pos¬ 
sessing  a  calm,  measured  hand  in  times 
of  turmoil— such  as  guiding  Avon 
employees  through  the  chaos  of  the 
Sept.  11  attacks-instructs  employees  in 
more  than  120  countries  on  how  to 
avoid  getting  kidnapped  or  carjacked. 

CSOs  are  trained 
to  protect  you  and 
your  company’s 


assets,  data  and  employees,  and  they 
aim  to  fit  their  policies  into  the  overall 
business  strategy.  Dave  Kent,  vice 
president  and  CSO  of  biotech  giant 
Genzyme,  is  partnering  with  President 
and  CEO  Henri  Termeer  to  secure  the 
company's  new  all-glass  headquarters. 
Kent,  who  is  working  to  prevent  the 
loss  of  intellectual  property  by  way  of 
people  peering  through  the  windows, 
has  “scrubbed”  the  blueprints  he’s 
filed  with  local  agencies  to  keep  people 
from  knowing  where  labs  and  offices 
will  be  located  in  the  new  building. 
He's  even  saved  Genzyme 
huge  amounts  of  money 
by  streamlining  access 
control  systems  (going 
from  13  systems  to 
one). 

CSOs  simply 
want  their  board- 
room  peers  to  help 
them  connect  effectively 
with  the  business.  “How 
many  times  has  a  CEO 
said,  ‘If  I  had  only 
known...’?”  asks  Lynn  Mat- 
tice,  director  of  corporate 
security  for  Boston  Scien¬ 
tific's  global  operations. 

“That's  where  our  real  value  lies. 
We  are  a  major  source  of  need-to- 
know  information.” 

-Simone  Kaplan 


THE  CSO  ROLE  Toss  aside  your 
stereotypes  and  get  to  know  what  your 
CSO  really  brings  to  the  table. 

“There's  this  notion  that  security  is 
about  this  cop  mentality,  and  it  makes 
the  hair  stand  up  on  the  back  of  my 
neck,”  says  George  Campbell,  president 
of  the  International  Security  Manage¬ 
ment  Association  (ISMA)  and  former 
CSO  of  Fidelity  Investments.  "We’re 
rejected  out  of  hand  as  being  too  igno¬ 
rant  to  appreciate  business  challenges. 

I  bristle  at  that.” 

“And  we're  looked  at  as  the 
techies  who  somehow  man¬ 
aged  to  wriggle  into  manage¬ 
ment,”  sighs  Bill  Spernow, 

CISO  of  the  Georgia  Student 
Finance  Commission. 

Neither  statement  could  be 
further  from  the  truth.  Most 
CSOs  are  articulate,  well-edu¬ 
cated  and  extremely  knowl¬ 
edgeable  about  business 
matters.  Many  have  taken 
business  leadership  courses, 
and  some  have  MBAs.  In  fact, 

Bob  Littlejohn,  vice  president 
of  global  security  for  Avon 
Products,  has  designed  the 
curriculum  for  ISMA’s  Leader¬ 
ship  Program,  an  executive 
development  and  leadership  semi¬ 
nar  for  potential  CSOs.  The  year¬ 
long  program,  held  at  Georgetown 


University,  focuses  on  business  skills 
such  as  strategic  planning  in  domestic 
and  international  business  environ¬ 
ments,  analysis  and  decision  making, 
negotiation,  persuasive  communica¬ 
tion,  and  team  building.  Hardly  the 
stuff  of  thick-necked  cops. 

If  the  world  came  crashing  down 
around  you,  these  are  the  people 
you’d  want 


DEPARTMENT  OF  BIG,  SCARY  NUMBERS 


Information  Systems  Security 
Association  (ISSA) 

MEMBERSHIP:  Any  level  of  infosecurity 
professional  is  invited  to  join  this,  the  largest 
nonprofit  information  technology  security 
organization  that  cuts  across  all  industry 
sectors. 

MISSION:  To  promote  management 
practices  that  ensure  the  confidentiality, 
integrity  and  availability  of  information 
resources.  Advocate  for  the  security 
function  within  companies. 


electronic  crime. 


More  than  6  million 

containers  move 
through  U.S.  ports 
each  year.  Customs 
inspects  only  1,200. 

SOURCE:  GERALD  DILLINGHAM,  DIRECTOR  OF  CIVIL  AVIATION  ISSUES  FOR  THE  U.S.  GENERAL  ACCOUNT 
_S  K  ING  OFFICE,  TESTIFYING  TO  THE  NATIONAL  COMMISSION  ON  TERRORIST  ATTACKS 


Electronic  Crimes  Task  Forces 
MEMBERSHIP:  Members  come  from 
federal,  state  and  local  law  enforcement 
agencies,  private  companies,  and 
universities.  Chapters  include  Boston,  Los 
Angeles,  New  York  City,  San  Francisco  and 
Washington,  D.C. 

MISSION:  To  increase  the  resources,  skills 
and  vision  by  which  law  enforcement 
agencies  team  with  prosecutors,  private 
industry  and  academia  to  protect 
corporations  and  consumers  from 


ILLUSTRATION  BY  PATRICK  MEREWETHER 


Security  Handbook  2004  www.csoonline.com  31 


ORGANIZING  SECURITY  IS  a  tricky  task- 
every  option  has  its  benefits  and  limitations. 

Not  that  long  ago,  the  chief  security  guy  at 
many  companies  was  the  one  dozing  before  a 
wall  of  closed-circuit  monitors.  The  position 
was  many,  many  levels  below  that  of  the  CEO 
on  the  organizational  chart.  Now,  forces  rang¬ 
ing  from  Sarbanes-Oxley  legislation  to  terror¬ 
ism  are  pushing  the  security  function  up  the 
org  chart,  but  where  security  belongs  remains 
a  vexing  question.  Here  are  three  models; 
each  with  its  own  set  of  pluses  and  minuses. 

1.  The  Great  Wall:  No  connection  between 
corporate  and  IT  security. 


Pros:  Advocates  of  this  model  say  the  skills 
needed  to  manage  infosec  and  corporate 
security  are  vastly  different. 

Cons:  Endemic  communication  breakdowns, 
particularly  because  of  longstanding  mistrust 
between  the  two  arms  of  security.  IT  is 
expected  to  police  itself.  And  giving  the  title 
CSO  to  the  infosecurity  leader  is  semantically 
misleading,  since  that  person  isn’t  a  single 
point  of  contact  for  all  matters  security;  CISO 
is  a  clearer  title  for  that  function. 

Works  if:  The  CIO  and  COO/CFO  agree  on 
priority  level  of  security,  communicate  well 
with  each  other  and  understand  how  the  two 
security  domains  can  work  together.  (Classic 
example:  Investigating  a  cyberincident  may 
require  technical  expertise  of  infosec  workers 
in  concert  with  investigative  skills  of  corporate 
security  group.) 

Breaks  down  when:  The  CEO  allows  power 
struggles  and  personality  clashes  to  fester. 

2.  The  Hybrid:  Despite  the  presence  of  a 
CSO,  security  responsibilities  are  scattered. 
Pros:  Variations  on  the  following  chart  com¬ 
monly  evolve  to  match  the  skill  sets  of  people 
already  in  the  company. 

ILLUSTRATION  BY  STEPHEN  WEBSTER 


I 


is  an  empire-builder 


Derek 


Head  of 
Engineering 


Security 

Engineers 


Security 

Operations 


Audit,  Policy,  Physical 

Recovery  Security 


Cons:  Who’s  really  in  charge?  Design  and 
implementation  of  security  measures  are  held 
separately.  Enormous  amount  of  communica¬ 
tion  overhead.  And  CSO  has  accountability 
but  little  authority. 

Works  if:  Responsibilities  are  clearly  delin¬ 
eated  so  that  security  measures  don't  fall' into 
the  cracks.  All  concerned  parties  play  well 
together  and  have  a  process  for  adjudicating 
disagreements. 

Breaks  down  when:  Business  units  dig  in  their 
heels  over  security  spending  or  compliance. 

3.  The  Matrix:  Security  is  centralized  under 
the  CSO,  with  dotted-line  reports  to  business 
functions. 

Pros:  Less  common  today  than  the  other  two 


Information 

Physical 

Security 

Security 

models,  but  it  best  addresses  the  require¬ 
ments  mentioned  at  the  outset.  The  CSO  is  in 
a  position  to  provide  the  CEO  and  the  board 
with  comprehensive  overview  of  security  risks 
and  actions  taken  to  mitigate  those  risks. 
Cons:  Incumbent  on  the  CSO  to  understand 
the  business  priorities  so  that  money  gets 


VIEW  FROM  THE  COO  First,  whether 
we  like  it  or  not,  from  an  information  and 
data  standpoint,  the  world  is  evolving  to  be 
inherently  less  secure.  It’s  not  just  the  Inter¬ 
net  environment,  either.  Broad  new  commu¬ 
nications  capabilities— from  wireless  devices 
to  global  positioning— create  vul¬ 
nerabilities.  And  there  are  more 
motivated  people  trying  to 
exploit  more  vulnerabilities  with 
more  sophistication  than  ever 
before.  The  stakes  and  rewards 
are  being  raised  as  more  valu¬ 
able  information  becomes  avail¬ 
able  on  the  Internet. 

At  the  same  time,  it  has 
become  dreadfully  clear  that ,  as 
a  society,  we  are  more  exposed 
than  ever  before.  Our  economy  is 
increasingly  based  on  thoughts 
and  ideas— intellectual  property 
that  can’t  just  be  locked  away  or 
written  down  and  hidden. 

In  not-so-subtle  ways,  these 
risks  should  demonstrate  the 
need  for  executive-level  security. 

It’s  an  endorsement  that,  for  me, 
is  easy  to  make  because  I’ve  come 
to  understand  and  appreciate  the 
value  of  security  to  our  organi¬ 
zation.  At  the  same  time,  as  a 
chief  operating  officer,  it’s  a  commitment  that 
sometimes  challenges  me  fully. 

Think  about  the  divergent  and  sometimes 
polar-opposite  goals  of  security  and  opera¬ 
tions.  There  are  three  things  that  I  think 
about  with  any  business  decision.  First,  what 
will  the  decision  cost?  Second,  what  is  the 
return  on  investment?  And  finally,  what  is 
the  effectiveness  of  such  a  decision?  It’s  this 
last  point  about  which  the  CSO  cares  most. 
And  he  is  willing  or  even  mandated  to  ignore 
the  other  two  to  achieve  that  end  because, 


spent  in  the  most  effective  manner.  If  poorly 
managed,  the  security  function  will  turn  into  a 
fief,  out  of  sync  with  the  business  plan.  May 
prove  difficult  to  find  a  CSO  with  strong 
knowledge  of  both  information  and  corporate 
security. 

Works  if:  The  CSO  is  really  a  CSO— someone 


when  it  comes  to  security,  effectiveness  often 
increases  cost  dramatically  and  reduces  ROI 
(if  any  ROI  is  even  attempted). 

In  short,  securing  operations  costs  money, 
hinders  convenience  and  impairs  collabora¬ 
tion.  Which  makes  it  even  harder  for  me  to  say 


the  following:  It’s  a  good  idea  to  secure  oper¬ 
ations— even  if  it  means  higher  costs,  hindered 
convenience  and  impaired  collaboration.  The 
risk  is  just  too  high  if  someone  gets  access  to 
our  systems. 

As  one  might  imagine,  this  new  way  of 
approaching  security  was  no  epiphany  for  me. 
It  took,  and  it  continues  to  take,  hard  work  to 
operate  in  the  new  security  reality.  It  also 
requires  an  executive-level  security  presence 
to  make  me  and  the  other  nonsecurity  exec- 
Continued  on  next  page 


who  can  articulate  the  business  imperative  for 

.  - 

appropriate  security  measures  and  influence 
low-level  employees  as  well  to  ensure  policy 


compliance. 

Breaks  down  when:  CSO 

or  brow-beater. 


Security  Handbook  2004  www.csoonline.com  33 


&  O  ©  N 


SECURITY 


utives  understand  why  these  operational  sac¬ 
rifices  are  necessary.  By  pushing  security 
down  to  a  lesser  level,  members  of  the  C-level 
suite  might  find  it  easier  to  focus  squarely  on 
their  goals  without  ever  having  to  heed  secu¬ 
rity  concerns. 

The  security  maturity  here  at  the  Software 
Engineering  Institute  (SEI)  is  high.  Thats 
because  we’re  a  pure  research  organization, 
and  we  understand  what  happens  if  that 
research— our  intellectual  property— is  com¬ 
promised.  Also,  the  CERT  Coordination  Cen¬ 
ter  for  reporting  security  vulnerabilities  is 
part  of  SEI,  so  we  practice  what  we  preach  in 
terms  of  adopting  security  best  practices. 

But  even  here,  creating  the  security  mind¬ 
set  hasn’t  always  been  easy.  We  have  had 
strong  arguments  between  staff  members 
who  want  wide-open  access  because  it  bene¬ 
fits  research  and  collaboration,  and  security¬ 
conscious  employees  who  know  what 
wide-open  access  really  means  in  terms  of 
vulnerabilities.  We’re  always  debating  that 
balance  between  security  and  availability. 

In  some  cases,  the  scales  tip  toward  secu¬ 
rity.  We  have  purposefully  scotched  efficiency 
in  spots— for  example,  by  forbidding  log-in 
by  employees  until  critical  patches  are  applied 
to  their  systems,  by  setting  up  VPNs  for  home 
users  and  by  banning  anonymous  FTP  access. 
Not  all  of  that  was  OK  with  the  staff  at  first. 
We  did  it  anyway,  and  we’re  better  off  for  it. 

But  our  approach  to  security  sometimes 
has  bothered  partners,  or  even  customers, 
who  are  suddenly  faced  with  minor  obstacles 
to  collaboration.  In  some  cases,  we’ve 
switched  vendors  for  security  reasons.  Yes, 
we  get  complaints,  but,  just  as  we  do  with  our 
own  staff,  we  take  the  time  to  explain  why 
we’ve  taken  whatever  convenience-threaten¬ 
ing  step  we  have,  and  inevitably  our  partners 
and  customers  (and  sometimes  even  our  ven¬ 
dors)  adapt. 

In  other  cases,  our  approach  will  favor  oper¬ 
ations— adding  many  layers  of  security  doesn’t 
always  immediately  prove  to  be  a  good  idea  for 
everything  we  do.  We  won’t  spend  money  to  be 
safe  if  there’s  no  return.  And  we  force  our  secu¬ 
rity  group  to  demonstrate  that  return. 

I  am,  after  all,  still  a  COO. 

Clyde  Chittister  has  been  with  SEI  since  1985.  He  is  a  lead¬ 
ing  expert  on  software  and  risk  management. 


You  Oughta  Audit 

YOUR  ORGANIZATION  AUDITS  ITS  BOOKS.  WHAT  ABOUT  ITS  SECURITY? 


ALTHOUGH  AUDITING  HAS  long  been  a  part  of  op¬ 
erating  military  and  financial  computer  systems,  CSOs  in 
other  arenas  have  been  somewhat  slower  getting  into  the 
act.  It  wasn’t  until  the  Health  Insurance  Portability  and 
Accountability  Act  (HIPAA)  regulations  came  into  force 
that  health-care  providers  were  legally  required  to  audit 
their  systems.  Nevertheless,  auditing  is  an  important  ele¬ 
ment  in  running  any  complicated  system:  It  verifies  that 
things  are  really  set  up  the  way  you  think  they  are. 

So  if  you  don’t  audit  your  computers,  it’s  time  to  start. 

If  you  have  a  network  of  PCs,  one  of  the  most 
important  audits  to  do  is  a  software  license  compliance 
audit.  Such  an  audit  verifies  that  the  software  installed 
on  your  employees’  desktops  has  been  properly 
licensed-important  to  do,  since  companies  have  been 
fined  tens  of  thousands  of  dollars  for  illegally  copying 
programs.  Conduct  a  few  audits,  and  you’ll  quickly  see 
the  financial  advantage  of  open-source  software. 

While  auditing  your  desktops,  you  might  be  tempted 
to  inventory  your  users’  documents  too.  An  unan¬ 
nounced  audit  can  uncover  transgressions.  But  beware: 
Employees  can  sue  for  invasion  of  privacy  unless  you’ve 
notified  them  in  writing  that  such  audits  might  happen. 

Many  companies  have  started  auditing  their  Internet 
connections.  Computers  can  report  the  websites  that 
each  employee  visits,  determine  with  whom  they  ex¬ 
change  e-mail  and  calculate  when  an  employee  arrives  at 
her  desk.  More  advanced  systems  can  even  record  e-mail 


sent  and  received  and  hold  that  information  indefinitely. 
But  Harvard  Law  professor  Jonathan  Zittrain,  a  noted  ex¬ 
pert  on  computer  law,  warns  companies  about  going  too 
far.  “The  more  [organizations]  know,  the  more  they’re  re¬ 
sponsible  for  knowing-it’s  a  strange  feedback  loop,” 
says  Zittrain,  who  recommends  creating  systems  that 
don’t  collect  “every  dram  of  mouse  dropping.”  Such  sys¬ 
tems,  he  says,  “can  be  both  legally  helpful— so  long  as 
they  don’t  amount  to  willful  or  studied  ignorance." 

Auditing  is  also  an  important  tool  for  companies  to 
collect  proof  of  harassment  among  employees:  a  neces¬ 
sary  precursor  to  punishment  or  termination.  “The 
moment  employees’  private  doings  go  beyond  their  own 
screens  and  into  the  workplace-either  because  others 
see  what  they’re  up  to,  or  because  they  circulate  their 
doings  over  the  network-it’s  clearly  something  for  which 
the  company  has  to  take  responsibility,”  says  Zittrain. 

Audit  trails  can  also  be  forged,  says  Rebecca  Mer- 
curi,  an  expert  on  electronic  voting  systems  and  an 
assistant  professor  of  computer  science  at  Bryn  Mawr 
College,  and  there  is  frequently  no  substitute  for  paper 
records.  There  is  also  no  substitute  for  auditing  the 
audit  systems-a  process  that  she  says  is  lacking  in 
today’s  electronic  voting  machines.  “Neither  election 
officials,  candidates  nor  voters  are  provided  with  any 
way  of  validating  whether  the  equipment  was  operating 
properly  throughout  the  election,"  she  wrote  in  the 
Communications  of  the  ACM.  -Simson  Garfinkel 


A  Homeland  Defense  Primer 

GOVERNMENT  The  Department  of  Homeland  Security,  born  November  2002,  is  the  most  significant 
security  effort  by  the  federal  government-the  largest  government  effort  since  Truman  created  the  Depart¬ 
ment  of  Defense  after  World  War  II.  DHS  pulls  in  170,000  government  employees  from  22  distinct  agencies. 

That  said,  making  this  mega-entity  work  could  be  as  difficult  as  trying  to  locate  Osama  bin  Laden.  Critics 
of  DHS  question  if  the  reorganization  itself  is  too  big  a  logistical  undertaking.  Beyond  that,  some  wonder  if  try¬ 
ing  to  mesh  so  many  entities  and  people  together  into  a  huge,  new  bureaucracy  is  even  necessary.  Does  it 
make  sense  for  the  Coast  Guard  and  Customs  to  have  the  same  mission  and  boss  as  a  group  such  as  the 
Critical  Infrastructure  Assurance  Office,  an  IT  security  group? 

Proponents  say  DHS  will  create  efficiency.  Former  Treasury  Department  CIO  Jim  Flyzik  notes,  for  example, 
that  currently  40  agencies  deal  with  border  crossing  issues,  a  nightmare  for  import  and  export  businesses.  In 
addition,  the  administration  will  argue  that  the  border  issues  are  also  dangerous  because  key  security  data  can 
get  lost  in  bureaucracy.  The  DHS  also  wants  to  integrate  58  disparate  “watch  lists'  for  wanted  criminals. 

But  skeptics  wonder  if  all  this  really  tightens  security:  and  if  intelligence  agencies  such  as  the  FBI  and  CIA, 
which  remain  outside  the  DHS  but  are  critical  to  its  success,  will  share  information  willingly.  Still,  besides  the 
benefits  of  consolidation,  the  administration  is  banking  on  the  department’s  higher  purpose  to  help  it  succeed. 
The  idea  that  this  is  a  response  to  terrorism-to  9/11  directly-and  an  effort  to  save  American  lives  will  be 
incentive  for  many  people  to  discard  their  agency  hats  for  new,  larger-size  homeland  security  headgear. 

Sept.  11  singed  a  permanent  memory  in  America’s  psyche,  which  includes  the  DHS  workers  who  patrol  the 
borders,  respond  to  disasters,  and  analyze  intelligence  day  in  and  day  out.  Their  commitment  to  defend  the 
nation  will,  at  a  minimum,  give  the  new  department  a  fighting  chance.  -Todd  Dat 


34  www.csoonline.com  Security  Handbook  2004 


Insurer  USAA  takes  continuity 
planning  seriously,  holding  drills 
to  teach  its  executives  how  to  deal 
with  disasters  like  biological  attacks 
(left)  and  resulting  trauma  (above). 
CIO  Steve  Yates  (top,  far  left),  mans 
the  command  center. 


Your  Required  Participation  Is  Appreciated 


BUSINESS  CONTINUITY 

On  a  hot,  muggy  day  in  July 
2002,  650  executives  and  staff 
from  USAA,  one  of  the  nation’s 
largest  insurers,  gathered  to  hear 
a  terse  announcement  by  CIO 
Steve  Yates.  “A  major  U.S.  bank 
has  just  reported  a  bomb  at  its 
headquarters,”  he  says.  The  day 
before,  the  FBI  had  warned 
USAA  and  its  financial  services 
brethren  of  potential  terrorist 
threats  to  those  in  the  industry. 

In  response  to  Yates’s  words, 
the  hushed  room  turned  into  a 
flurry  of  activity  as  the  gather¬ 
ing-comprising  the  members  of 
the  company’s  corporate  situa¬ 
tion  management  team— shifted 
into  response  mode.  Emotions 
ran  high  and  adrenaline  rushed 
wildly.  But  fortunately,  it  was 
just  a  drill. 

While  USAA  may  seem  to  take 
an  overzealous  approach  to  conti¬ 


nuity  planning,  consider  the 
stakes.  The  company  manages 
$64  billion  in  assets,  houses  up  to 
20,000  Texas-based  employees, 
and  operates  in  5  million  square 
feet  of  office  space.  So  a  major 
security  event  could  result  in  sig¬ 
nificant  casualties.  But  even  com¬ 
panies  that  believe  their  risk  to  be 
lower  than  USAA’s— as  well  as 
those  that  know  they  can’t  afford 
a  drill  this  elaborate— should  in¬ 
volve  the  entire  executive  staff  in 
disaster  recovery/business  conti¬ 
nuity  planning,  or  DR/BCP. 

It’s  no  accident  that  USAA 
includes  many  of  its  top  execu¬ 
tives  in  its  continuity  planning 
drills.  In  fact,  that’s  precisely  the 
reason  the  company  is  success¬ 
ful  with  DR/BCP.  Often,  the 
cost  of  such  drills  is  so  prohibi¬ 
tive  that  executives  don’t  want 
to  stage  them,  and  they  also 
question  the  likelihood  of  such 


catastrophes.  If  the  CEO  has 
that  mind-set,  so  will  the  CEO’s 
employees.  Ultimately,  security 
will  suffer. 

Executive  support,  buy-in  and 
participation  is  key  to  an  effec¬ 
tive  corporate  security  program. 
“There  are  so  many  interdepen¬ 
dencies  today,”  says  Wayne  Pea¬ 
cock,  senior  vice  president  of 
corporate  real  estate  for  USAA. 
“It’s  not  just  a  physical  security 
issue;  it’s  not  just  a  technology 
issue;  it’s  not  just  a  line-of- 
business  issue;  and  it’s  not  just  a 
corporate  issue.  They’re  all  going 
on  at  the  same  time.” 

Because  effective  security 
touches  all  aspects  of  an  organi¬ 
zation,  your  CSO  needs  the  power 
to  oversee  companywide  response 
strategies.  Your  support  and,  most 
important,  your  participation  will 
drive  those  strategies. 

If  your  CSO  is  putting  together 


a  response  team  (generally  com¬ 
posed  of  business  unit  represen¬ 
tatives  and  executive  counsel— 
along  with  staff  members  from 
finance,  HR,  e-business,  general 
counsel  and  corporate  communi¬ 
cations),  let  the  company  know 
you  support  it,  no  matter  how 
remote  a  threat  seems.  Endorse 
the  security  team’s  desire  to  create 
executive  succession  plans  in  the 
event  of  the  unthinkable. 

Participate  in  regular  tests  of 
the  various  response  plans.  Lead 
by  example.  Set  the  tone  for  the 
company,  and  watch  everything 
fall  into  place.  Such  participa¬ 
tion  on  the  part  of  boardroom 
executives  will  prove  that  the 
company  has  effectively  inte¬ 
grated  the  safeguards  essential 
to  enterprise  protection— and 
will  buy  you  loyalty  and  security 
in  the  long  run. 

-Daintry  Duffy 


PHOTOS  BY  JOHN  DYER 


Security  Handbook  2004  www.csoonline.com  35 


£  ©  ©  M 


SECURITY  HANDBOOK 


,  •  :r.  -  • 

*:  .  .  . 


All  Together  Now 

;  :  ■■■  V-^V-'-  ■ 

Despite  a  renewed  interest  in 
communication  between  corpo¬ 
rate  security  staffs,  few  compa¬ 
nies  have  established  lasting 

lines  of  communication 

" .  -v:/'  v-  .  •/.  ■ 


•  ;  it-.,:  ,  ,• 


At  your  company,  how  often  do  information 
security  staff  and  physical  security  staff 
work  together? 


ps®1- 

SOURCE:  FORRESTER  RESEARCH, 

“I.T.  SECURITY  FAILS— NOW 

WHAT  SHOULD  THE  CIO  DO?"  82  RESPONDENTS 

A  Tough  Call 

INCIDENT  RESPONSE 

The  decision  to  report  a  cyberinci¬ 
dent  is  never  one  to  take  lightly. 

Once  your  CSO  reports  an  inci¬ 
dent,  the  public  turns  its  eye 
toward  your  business,  you  feel  vul¬ 
nerable  to  future  attacks,  and  you 
worry  about  damaging  shareholder 
value.  But  with  the  number  of 
reported  cyberincidents  on  the 
rise— up  from  just  six  in  1988  to 
82,000  in  2002,  according  to  The 
CERT  Coordination  Center-there 
must  be  good  reason  for  doing  so. 

Companies  are  discovering  that 
not  reporting  an  incident  has  more 
negative  effects  than  if  they  had 
actually  reported  it  in  the  first 
place,  if  your  investigation  remains 
internal  and  you  lose  intellectual 
property,  your  market  share  can 
plummet,  and  you  run  the  risk  of 
your  customers  knowing  more 
about  your  product  plans  than  you 
do.  And  customers  always  find  out 


about  breaches,  so  experts  suggest 
putting  yourself  in  front  of  the  cri¬ 
sis  by  involving  authorities  instead 
of  whistling  past  the  graveyard. 

Generally  speaking,  a  computer 
incident  is  anything  that  potentially 
compromises  the  confidentiality, 
integrity  or  availability  of  a  com¬ 
puter  system.  An  incident  can 
range  from  a  simple  power  outage 
to  a  sophisticated  denial-of-service 
attack.  A  smart  CSO  knows  that 
calling  in  the  authorities  protects 
you  from  the  very  situations  you 
fear.  To  better  understand  a  CSO’s 
decision  making,  you  need  to  know 
some  basics  about  cyberincidents: 
■  The  best  defense  against  a  cyber¬ 
incident  is  a  good  offense.  Your 
CSO  needs  your  support  in  draft¬ 
ing  an  incident  response  plan  that 
includes  a  response  team  repre¬ 
senting  the  organization,  an  inci¬ 
dent  reporting  form,  a  flowchart 
that  details  the  process,  and  a 


post-incident  review  procedure  to 
ensure  continuous  improvement. 

i  The  CSO  should  report  an  inci¬ 
dent  when  your  company’s 
proprietary  information  and 
intellectual  property  have  been 
compromised  or  stolen,  or  if  an 
illegal  act  has  taken  place  inside 
the  company. 

i  Law  enforcement  can  do  more  in 
an  investigation  than  a  private 
company  can  do.  For  example, 
companies  can’t  arrest  someone, 
nor  do  they  have  the  resources  to 
track  down  intruders  outside  of 
the  company. 

■  Your  CSO  should  never  make  the 
decision  to  call  law  enforcement 
without  first  discussing  it  with 
the  executive  committee. 
Because  incidents  usually  have 
a  direct  impact  on  the  business, 
your  CSO  needs  your  input  on 
when  and  whom  to  call. 

-Simone  Kaplan 


The  Patch  Problem 


PATCHING  SOFTWARE  Right  now  the  most  common  defense 
against  the  steady  flow  of  pestilent  computer  viruses— patching— 
doesn’t  work.  In  fact,  the  whole  process  of  patching  is  coming  undone. 
Last  year,  The  CERT  Coordination  Center  published  nearly  4,200 
vulnerabilities.  If  your  CSO’s  employees  spent  just  10  minutes  research¬ 
ing  each  vulnerability,  they  would  have  used  up  700  hours  right  there. 

That’s  before  a  patch  is  even  applied.  When  that  happens,  there’s  the 
problem  of  different  versions  of  software  requiring  different  combi¬ 
nations  of  patches.  Any  CSO  worth  his  salt  will  also  do  regression 
testing  on  patches  before  they  go  live,  since  so  many  of  them  end  up 
breaking  applications  or  actually  making  the  network  more  vulnera¬ 
ble.  As  Peter  Tippett,  CTO  of  TruSecure,  notes,  your  company  could 
have  been  perfectly  rigorous  in  applying  all  of  the  patches  against 
Slammer  and  you  still  would  have  been  vulnerable.  At  any  rate,  regres¬ 
sion  testing  can  take  months;  the  Slammer  virus  did  all  of  its  damage 
in  11  minutes. 

For  a  long  time,  security  staffers  have  tried  to  keep  up— it  was  the 
only  option.  Consider  that  Intel  says  of  its  own  network,  “The  Intel  IT 
organization  ran  3.7  million  scan  sessions  in  2002,  and  deployed 
2.4  million  patches.” 

But  given  the  increasing  complexity  of  patching,  keeping  up  is  no 
longer  tenable.  Thus,  a  new  conventional  wisdom  is  emerging:  Patch 
less.  “We  get  hot  fixes  every-  day,  and  we’re  loath  to  put  those  in,”  says 


Frank  Clark,  CIO  of  Covenant  Health.  “Patches  often  do  more  harm 
than  good.”  Instead,  Clark  is  part  of  a  growing  contingent  that  has 
decided  to  limit  patching  to  only  the  most  critical  vulnerabilities— 
which  requires  expertise  for  putting  threats  into  context,  something 
either  a  vendor  or  hired  staff  will  have  to  provide.  Such  a  counter¬ 
intuitive  approach  reflects  a  growing  interest  in  looking  at  computer 
security  in  a  risk  analysis  context,  not  as  a  black-and-white  state.  The 
idea  behind  patching  less  rests  on  the  premise  that  the  overwhelming 
majority  of  vulnerabilities  pose  so  small  a  threat  that  they  can  be 
safely  ignored.  Then  the  time,  money  and  resources  freed  up  by  not 
chasing  every  patch  on  every  system  can  be  better  used  to  focus  on  mit¬ 
igating  the  real  threats. 

“Patching  is  the  worst  possible  risk  reduction  model,”  says  Tippett, 
whose  own  company’s  research  suggests  that  in  the  past  12  years,  only 
2  percent  of  all  software  vulnerabilities  ever  affected  anyone.  “Execu¬ 
tives  get  risk.  They  understand  how  to  use  risk.  The  security  staff,  not 
so  much.”  In  other  words,  executives  must  help  inculcate  risk  analy- 
sis  into  IT  security,  which  is  desperate  for  it. 

But  more  and  more  experts  say  that  if  you  do  a  little  bit  of  risk 
analysis,  you’ll  find  the  problem  with  patching  is  that  it  doesn’t  work. 
Patching,  it  turns  out,  would  be  a  great  place  to  start  the  process  of 
introducing  risk  analysis,  since  CSOs  are  getting  two  very  different, 
competing  messages.  Even  as  the  “patch  less”  mantra  gains  favor,  a  bevy 
of  vendors  are  saying  patch  more— indeed,  patch  everything,  but  auto¬ 
mate  the  process  with  software  that  will  do  the  grunt  work  for  you.  This 
new  class  of  software,  called  patch  management,  has  many  advocates 
and  even  has  a  place  in  a  patch-less  world.  -Scott  Berinato 


36  www.csoonline.com  Security  Handbook  2004 


Orange  Alert: 

Red  Tape 

LEGISLATION  Regulation— a  word  that 
has  always  chilled  the  hearts  of  businesspeo¬ 
ple— now  looms  heavier  than  ever  for  private 
sector  security.  It  threatens  to  grossly  compli¬ 
cate  the  lives  of  CSOs  and  impose  an  unantici¬ 
pated  burden  of  cost  and  administrative  hassle 
on  their  organizations.  That  according  to  Bob 
Hayes,  former  security  executive  at  Georgia- 
Pacific,  who  has  recently  inventoried  pending 
initiatives  beginning  to  issue  forth  from  various 
government  agencies  in  response  to  9/11. 

Pieced  together  in  Hayes’s  thick  three-ring 
binders  is  evidence  that,  he  believes,  security  is 
well  on  its  way  to  becoming  a  fully  regulated 
industry  (despite  the  theory  that  market  forces, 
more  or  less  unaided,  will  compel  right  behav¬ 
ior).  “When  you  start  putting  the  whole  picture 
together,  it’s  not  just  computer  security,  it’s  not 
just  physical  security,”  Hayes  says.  “It  includes 
how  you  hire  people,  how  you  build  your  ware¬ 
houses.  That’s  the  story  we’re  trying  to  tell — the 
magnitude  of  what’s  coming  down  the  road." 

Want  a  taste?  Hayes  cites  new  federal 
agency  regulations.  U.S.  Customs  is  adding 
extraordinary  stringency  to  the  process  of  ship¬ 
ping  container  freight  from  overseas  to  U.S. 
ports  of  entry.  The  Department  of  Transporta¬ 
tion  is  weighing  in  with  new  regs  on  how  goods— 
especially  hazardous  materials-are  shipped. 
And  there  are  executive  orders  signed  by  Presi¬ 
dent  Bush  addressing  terrorism  on  everything 
from  immigration  policy  to  citizen  preparedness. 
Reporters’  inquiries  into  these  directives  some¬ 
times  produce  round-robin  referrals  that,  even¬ 
tually,  end  up  where  they  began  and  produce  no 
definitive  answers.  “I  get  a  headache  every  time 
I  get  into  this,”  says  Hayes.  “It’s  so  complex,  and 
there  are  so  many  people  working  on  it,  and 
obviously  nobody  is  talking  to  anybody  else." 

For  CSOs,  the  easy  way  out  would  be  to  let 
someone  else  deal  with  the  problem.  But,  as 
Hayes  sees  it,  this  is  a  make-or-break  opportu¬ 
nity  for  the  profession.  CSOs,  he  says,  “have  a 
choice— to  either  be  part  of  [the  process]  or  sit 
back  and  let  people  who  have  no  expertise  in 
security  handle  it,”  he  says.  “That’s  not  a  smart 
move  because  then  somebody  says,  Why  do  we 
need  a  security  guy?”  Here’s  why.  As  the  layers 
of  “guidance”  pile  up  on  top  of  security-related 
elements  of  business  practice,  someone  had 
better  pay  big-picture  attention  to  the  regulatory 
burden  borne  by  the  business.  -Sarah  D.  Scalet 


REGULATION  Not  long  ago,  the  acro¬ 
nym  FOLA— which  stands  for  the  Freedom 
of  Information  Act— was  sliding  off  the 
tongues  of  security  officers  everywhere. 
Well,  sliding  is  too  gentle.  FOIA,  pro¬ 
nounced  foy-uh,  was  being  spat.  That’s 
because,  for  many  CSOs,  this  35-year-old 
rule  book  on  how  members  of  the  public 
can  shed  light  on  the  private  machinations 
of  their  government  is  nothing  but  a  huge, 
gaping  security  hole— one  that  makes  them 
loathe  to  share  information  about  their 
security  practices  with  the  U.S.  government. 

As  you’ll  see,  they’re  right.  And  they’re 
wrong. 

Established  in  Section  552  of  Title  5  of 
the  United  States  Code,  FOIA  was  passed 
under  the  premise  that  sunlight  is  the  best 
way  to  dispel  chicanery  in  every  corner  of 
the  government.  The  law  creates  proce¬ 
dures  for  members  of  the  public  to  write  to 
a  federal  department  or  agency,  describe 
specific  information  that  they  believe  the 
agency  has  on  file,  and  request  photocopies 
of  the  records.  Best  known  as  a  tool  for 
gumshoe  journalists  and  conspiracy 
theorists,  FOIA  is  used  by  advocacy 
groups,  government  watchdogs,  academic 
researchers,  lawyers  and  all  kinds  of  curi¬ 
ous  individuals— U.S.  citizens  or  not.  It’s 
also  used  by  businesses  conducting 
competitive  research. 

In  FY02  alone,  182,079  FOLA  requests 
were  filed  by  people  who  wanted  informa¬ 
tion  on  everything  from  deported  refugees 
to  product  safety  to  suspected  UFO  activity. 
Not  all  those  requests  were  granted,  of 
course.  When  presented  with  a  FOIA 
request,  a  government  agency  can  deny  it 
on  the  basis  of  one  of  nine  exemptions.  For 
example,  records  that  might  damage 
national  security  are  exempt  from  requests, 
as  are  details  about  law  enforcement  inves¬ 
tigations  (although  court  documents  are 
part  of  the  public  record). 

After  9/11,  the  government  cranked  up 
its  plea  for  private  industry  to  help  protect 
the  nation’s  critical  infrastructure.  About 
85  percent  of  our  critical  systems,  such  as 
those  in  banks  and  telecom  companies,  are 
controlled  by  businesses,  but  citizens  rely 
on  them  for  their  health  and  financial  well¬ 


being.  The  feds  said  they  wanted  informa¬ 
tion  about  weaknesses  in  this  infrastructure 
so  that  they  could  help  companies  protect 
themselves.  CSOs  said  they  needed  a  new 
FOIA  exemption  to  ensure  that  this  infor¬ 
mation  stayed  with  the  federal  government. 

On  Nov.  25,  2002,  when  President  Bush 
signed  legislation  creating  the  Department 
of  Homeland  Security,  the  CSOs  got  their 
wish.  A  small  section  of  the  new  law  pro¬ 
tects  voluntarily  submitted  information 
regarding  “the  security  of  critical  infra¬ 
structure  and  protected  systems,  analysis, 
warning,  interdependency  study,  recovery, 
reconstitution  or  other  informational 
purpose”  from  public  requests  submitted 
under  FOIA.  More  controversially,  it  also 
stipulates  that  the  department  not  use  the 
information  in  any  civil  action  without  the 
written  consent  of  the  entity  that  submitted 
the  information. 

For  protection,  the  person  or  group 
giving  the  info  must  provide  written  notice 
stating,  “This  information  is  voluntarily 
submitted  to  the  federal  government  in 
expectation  of  protection  from  disclosure 
as  provided  by  the  Critical  Infrastructure 
Information  Act  of  2002.” 

Labeling  or  no,  it  turns  out  that  a  FOIA 
exemption  wasn’t  enough.  No  matter  the 
potential  benefits,  CSOs  still  don’t  want  to 
give  up  sensitive  information  that’s  so 
potentially  damaging  to  your  company. 

Can  you  blame  them?  -S.S. 


ILLUSTRATION  BY  ALEX  NABAUM 


Security  Handbook  2004  www.csoonline.com  37 


THERE’S  A  security  professional  out  there 
who  was  formerly  the  CSO  at  an  online  trad¬ 
ing  firm  and  now  is  CSO  for  a  security  prod¬ 
uct  vendor.  Without  the  faintest  hint  of  irony, 
he  suggests  that  the  average  corporate  secu¬ 
rity  budget  should  be  4  percent  to  10  percent 
of  total  revenue.  He  says  he’s  now  comfort¬ 
able  with  executives  laughing  in  his  face. 

Naive  as  it  sounds,  it  points  to  a  real  dis¬ 
connect  between  security  executives  and  the 
rest  of  the  board.  Even  as  security  gets  more 
money— an  average  29  percent  increase  last 
year— those  in  charge  of  security  believe  the 
budget  increases  are  way  too  small,  that  a 
77  percent  increase  is  more  justifiable. 

And  that’s  just  the  start  of  it.  Although 
every  trend  indicates  that  physical  and  IT 
security  will  merge,  a  CSO  survey  shows  that 
seven  out  of  10  companies  haven’t  merged 
budgets  for  the  two  disciplines.  Seasoned 
security  professionals  argue  against  IT  secu¬ 
rity  spending  going  under  the  purview  of  the 
IT  department  (because  of  conflict  of  inter¬ 
est),  yet  three-quarters  of  companies  in  the 
survey  do  just  that,  averaging  10  percent  of 
their  total  IT  budget  devoted  to  security. 

Security  budgets  overall  are  widely  dis¬ 
persed,  according  to  the  survey,  with  about  a 
third  falling  under  $100,000,  a  third  between 
$100,000  and  $1  million,  and  a  third  more 
than  $1  million.  Of  course,  it's  hard  to  gauge 
if  that’s  actually  meaningful  because  some  of 
those  budgets  will  include  all  security  expen¬ 
ditures,  while  others  will  omit  certain  items 
that,  in  the  context  of  that  particular  com¬ 
pany,  fall  elsewhere,  like  disaster  recovery, 
loss  prevention  or  audit  functions. 

And  just  to  completely  muck  up  the  pic¬ 
ture,  a  recent  Office  of  Management  and  Bud 
get  study  found,  for  federal  agencies  anyway, 
no  correlation  between  an  increased  security 
budget  and  increased  security  effectiveness. 
All  of  which  is  to  say,  if  you  want  a  number 
for  what  makes  a  good  security  budget,  we 
ain’t  got  one.  We’re  not  even  sure  we  can  put 
you  in  a  ballpark.  If  creating  a  security  cul¬ 
ture  is  like  sawing  through  a  piece  of  wood, 
budgeting  is  that  knot  that  jams  and  bends 
your  saw,  and  probably  sprains  your  wrist. 

So  without  hard  facts  to  give  you,  we  will 
resort  to  offering  general  truths  about  secu¬ 
rity  budgeting.  They  are: 

1.  You  need  to  increase  your  security 


How 


ILLUSTRATION  BY  STEPHEN  WEBSTER 


csoonlme.com  Security  Handbook  2004 


pftife. 


Peer  to  Peer 


VIEW  FROM  THE  CFO  Thinking  about 
security  has  become  second  nature  to  us  at 
Genzyme.  In  fact,  security  is  an  integral  part  of 
everything  we  do.  Our  company’s  lifeblood  is 
intellectual  property  and  the  people  who  cre¬ 
ate  it.  So  we’re  very  aware  of  protecting  both. 
Some  companies  have  only  begun  to  establish 
a  stronger  security  sense  since  9/11— some¬ 
what  like  hiring  a  CFO  only  when  you  need  to 
close  the  books  at  the  end  of  the  quarter. 

Dave  Kent,  our  vice  president  and  CSO,  and 
I  work  very  closely  together.  We  are  members 
of  common  work  teams  and  frequently  meet 
informally.  It  is  imperative  that  the  CFO  and 
CSO  maintain  a  close  relationship.  Failing  to 
maintain  a  close  and  open  working  relation¬ 
ship  leads  to  potentially  costly  decisions. 

As  for  educating  ourselves  about  security, 
the  senior  management  staff  meets  fre¬ 
quently— formally  and  informally.  We  use  such 
occasions  to  review  changes  in  our  business, 
discuss  both  new  and  ongoing  programs,  and 
review  functional  areas.  But  it  is  the  ongoing 
contact  with  Dave  that  provides  the  real  edu¬ 
cation.  Since  we  have  had  a  CSO  for  so  long,  it 
has  become  second  nature  for  us  to  integrate 
security  into  everything  at  Genzyme.  The 
nature  of  our  business  dictates  that  everything 


CFO  AND  CHIEF  ACCOUNTING  OFFICER  AT  GENZYME 


we  do  has  the  highest  standards  built  in.  Secu¬ 
rity  is  part  of  those  standards,  and  it  starts  at 
the  top.  If  security  is  made  a  priority  and  it  has 
become  a  natural  part  of  your  work  life,  you 
think  of  it  less  as  an  event  and  more  as  business 
as  usual.  For  us,  being  smart  about  security  is 
less  a  matter  of  spreading  the  education  and 
more  just  a  basic  part  of  our  lives.  It’s  less  of  a 
process  of  who  educates  whom  and  more  of  a 
natural  offshoot  of  our  culture.  Because  the 
nonsecurity  executives  at  Genzyme  are  aware 
of  security,  they  tend  to  seek  out  Dave  at  the 
same  rate  as  Dave  educates  them  and  their 
staffs.  We  think  of  it  more  as  a  dialogue  than 
an  educational  series. 

As  a  biotech  company,  it  is  vital  for  us  to  do 
it  right  the  first  time.  Everything  we  do  needs 

Continued  on  next  page 


budget.  We  can  tell  you  that  CSOs  are 
understaffed  and  need  more  resources— 
human  and  financial.  But  the  longer  noth¬ 
ing  bad  happens,  the  more  apathetic  the 
CFOs  and  CEOs  become  about  funding 
security— what  CISO  Bill  Spernow  of  the 
Georgia  Student  Finance  Commission 
calls  security's  “half-life.”  So  don't 
become  apathetic  after  six  months  of 
incident-free  living,  but  also  don’t  be 
afraid  to  demand  some  metrics  to  justify 
your  continued  empathy  as  well. 

2.  Your  CSO  must  target  spending 
more  wisely.  But  sometimes  it's  hard  to 
tell  if  the  budget  a  CSO  gets  is  being  well 
spent.  Think  of  it  this  way:  If  you  wear 
your  seat  belt  for  a  year  but  don’t  get  in  an 
accident,  was  that  an  effective  security 
measure?  What  will  help  answer  that  kind 
of  question  is,  again,  an  increased  focus 
on  metrics  and  viewing  security  not  as  a 
binary  spend  (either  it  makes  us  safe  or  it 
doesn’t)  but  as  a  risk  equation  (how  safe 
does  it  make  us  relative  to  the  cost?). 

3.  You  should  spend  less  on  technol¬ 
ogy  and  more  on  education.  CISOs,  espe¬ 
cially,  seem  to  think  the  solution  to  every 
security  problem  is  to  throw  more  tech¬ 
nology  at  it.  “It  reminds  me  of  an  article 
about  a  city  in  the  Midwest  that  was 
experiencing  problems  with  vehicles 
hitting  pedestrians  in  the  downtown  area, 
and  I  remember  an  editorial  suggesting 
that  cars  should  be  designed  so  that  when 
a  car  is  getting  ready  to  turn,  it  will  beep 
and  the  pedestrian  will  know  that  the  car 
is  coming.  Nobody  suggested  we  train 
pedestrians  to  look  out  for  cars.  We  need 
to  think  from  that  other  perspective,”  says 
Spernow. 

4.  Last,  you  should  use  common  sense, 
even  in  the  wake  of  a  major  incident.  Too 

often,  top  executives  succumb  to  their 
emotions  after  a  major  incident.  Someone 
steals  intellectual  property,  and,  to  avoid 
bad  press,  the  company  pays  a  hacker  an 
extortion  fee.  That  kind  of  overreacting  is 
human,  but  it’s  also  not  the  way  to  budget 
for  security.  It  leads  to  wild  overspending, 
followed  by  severe  curtailing.  It  sends 
mixed  signals  about  the  value  of  security. 

It  is  a  characteristic  of  a  corporation  that 
is  reactionary  to  security,  not  proactive. 


Trust  us  on  this  one:  When  you’re  reac¬ 
tionary,  security  execs  will  take  advantage 
of  you.  “What’s  amazing  about  major  inci¬ 
dents,”  says  Stephen  Northcutt,  a  former 
CISO  with  the  Ballistic  Missile  Defense 
Organization,  “is  that  the  status  quo 
ceases.  At  that  moment,  you  can  go  to  the 
top  brass  and  ask  them  for  anything,  and 
they'll  do  it.  Boom.  And,  100  percent  of 
the  time,  I’ve  got  something  on  my  shop¬ 
ping  list.  And  I’m  completely  brazen  about 
it.  It  might  have  nothing  at  all  to  do  with 
the  incident  at  hand,  but  I’ll  get  it.” 

The  organization  that  inculcates  secu¬ 
rity  into  its  culture  is  more  likely  to  budget 
well,  so  it  all  starts  with  awareness,  educa¬ 
tion  and  executive  endorsement.  (By  now, 
these  are  recognizable,  recurring  themes 
in  this  handbook.)  And  if  your  CSO  asks 
for  a  budget  of  4  percent  to  10  percent  of 
total  revenue,  it's  OK  to  laugh— unless 
that's  what  you  need.  -Scott  Berinato 


What  are  your  company’s 
top  three  areas  of  IT  security 
investment? 


Technology 


Education 


Consulting/outsourcing 


Other 


SOURCE:  CSO  SURVEY.  “SECURITY  SPENDING:  HOW  MUCH  IS 
ENOUGH?"  MAY  2002 


■ 

Security  Handbook  2004  www.csoonline.com  39 


&  ©  ©  N > 


SECURITY  lMDBOOK 


to  be  of  unassailable  quality,  from  the  clinical 
trials  to  the  protection  of  our  employees.  For 
us,  there  truly  is  no  alternative.  The  risks  are 
simply  too  great.  Through  the  integration  and 
involvement  of  security  during  the  design 
phase,  we  avoid  costly  surprises  later.  We 
monitor  all  expenditures  closely.  We  review 
what  programs  work  and  which  don’t.  But  in 
the  end,  it  all  comes  down  to  early  involve¬ 
ment  and  doing  it  right  from  the  beginning. 

Companies  need  to  think  about  the  CSO 
role  as  part  of  their  daily  business  life.  While 
September  11  increased  the  awareness  and 
need  for  CSOs,  we  know  that  you  can’t  think  of 
security  in  terms  of  one-time  events.  Our 
employees,  our  patents  and  our  business  are 
simply  too  important  to  take  a  chance.  Think 
of  it  like  electricity.  When  the  power  goes  out 
for  most  of  us,  it’s  an  inconvenience  that  means 
we  might  lose  some  food  in  the  refrigerator. 
But  the  repercussions  of  a  power  failure 
increase  significantly  for  someone  on  a  respi¬ 
rator  or  other  medical  device  that  is  vital  to  his 
life.  Nonsecurity  executives  need  to  think  about 
security  the  same  way.  The  costs  of  a  security 
failure  can  easily  become  a  determining  factor 
of  a  company’s  success  or  demise. 

Michael  S.  Wyzga  is  corporate  executive  vice  president, 
corporate  controller,  CFO  and  chief  accounting  officer  of 
Cambridge,  Mass.-based  Genzyme. 


Be  the  Tortoise 


PLANNING  As  the  United  States  prepared  to 
wage  war  on  Iraq,  peace  of  mind  could  be  had  for  $20 
at  the  corner  store.  Duct  tape,  potassium  iodide 
tablets  and  a  5-gallon  jug  of  water  were  the  celebrated 
“duct  and  cover”  of  the  terrorism  age— bought,  paid 
for  and  carried  home  in  a  paper  sack.  Here  was  some¬ 
thing  tangible  that  Americans  could  do,  or  at  least 
think  about  doing:  They  could  seal  windows  against 
chemical  and  biological  agents,  protect  their  families 
from  radiation  poisoning  and  have  drinkable  water  in 
case  the  reservoirs  were  somehow  poisoned.  Problem 
solved. 

But  as  the  months  went  by  with  no  new  attacks  on 
American  soil,  the  water  got  drank  and  the  duct  tape 
unrolled,  while  the  iodide  pills  gathered  dust  awaiting 
their  expiration  dates.  Nothing  had  happened— so 
why  bother  buying  more  supplies?  Crank  the  security 
threat  dial-o-matic  back  to  a  one,  kids,  or  maybe 
even  a  zero. 

That  is  a  human  reflex,  and  one  that  plagues 
corporate  America  as  well.  For  businesses,  the 
sequence  goes  like  this:  Perceive  a  threat,  probably 
because  something  terrible  has  happened,  like  a  web¬ 
site  defacement.  Scurry  around  throwing  money  at 
the  problem  for  a  month  or  two.  Then,  when  nothing 
else  happens,  decide  the  money  was  wasted.  Ignore 
threat.  Reduce  funding.  Shampoo.  Rinse.  Repeat. 

We  overreact  when  something  bad  happens  and 


underreact  when  nothing  happens  at  all.  That’s  no  way 
to  approach  security.  And  nobody  understands  that 
better  than  a  CSO.  In  fact,  a  primary  role  of  the  CSO  is 
to  help  your  organization  find  equilibrium— to  ensure 
that  you  don’t  foolishly  spend  your  wad  on  iodide 
tablets  one  day,  when  what  you  really  should  do  is 
have  ongoing  family  discussions  about  how  and  where 
you  would  find  one  another  during  an  emergency. 

Sure,  the  CSO  has  selfish  reasons  for  wanting  to 
find  this  balance.  Nobody  wants  to  see  his  budget 
slashed  in  half  one  year  and  doubled  the  next;  that’s 
disruptive. 

But  the  CSO,  in  advocating  for  equilibrium,  also 
has  your  company's  best  interests  in  mind.  Security- 
good  security,  that  is— is  about  risk  mitigation,  not 
response.  It’s  about  prevention,  not  reaction.  And  it’s 
about  long-term  solutions,  not  quick  fixes. 

If  something  bad  does  happen,  you  may  still  need 
to  react.  Your  organization’s  vulnerabilities  might 
have  changed,  or  maybe  there’s  a  new  threat  that 
needs  to  be  addressed.  But  instead  of  cranking  the 
security  dial-o-matic  from  zero  to  10  and  then  back 
down  again,  perhaps  your  CSO  can  help  you  nudge 
it  from  a  five  to  a  six. 

None  of  this  is  quite  as  instantly  gratifying  as  a  new 
roll  of  duct  tape,  of  course.  But  in  the  end,  you’ll  be  a 
whole  lot  better  off. 

-Sarah  D.  Scalet 


Safe  Harbor 


PORT  SECURITY  In  the 

team-building  portion  at  your  last 
company  offsite,  you  probably 
remember  an  exercise  where  group 
A  led  group  B  through  an  obstacle 
course.  Presumably  group  B  exited 
the  course  unscathed.  The  game  is 
similar  to  the  real-life  scenario  being 
played  out  at  shipping  ports  around 
the  world  today:  In  an  attempt  to 
lead  businesses  through  transport’s 
security  maze,  the  U.8.  Bureau  of 
Customs  and  Border  Protection 
has  created  several  programs  to 
improve  the  inherent  lack  of  trust  in 
the  cargo  system  so  that  things  can 
move  more  swiftly  through  the 
supply  chain. 


The  Customs-Trade  Partnership 
Against  Terrorism,  or  C-TPAT,  is  a 
joint  initiative  between  the  govern¬ 
ment  and  the  private  sector  aimed  at 
safely  expediting  containers  through 
ports.  Companies  that  promise  to  use 
good  security  measures  and  provide 
documentation  of  the  containers’ 
contents  to  Customs  officials  will  be 
rewarded  with  an  accelerated 
shipping  schedule— kind  of  like 
a  fast  lane  for  cargo. 

Companies  that  enroll  in  the 
program  must  perform  self-assess¬ 
ments  of  their  supply  chain  security 
and  implement  a  security  program 
that  follows  C-TPAT  guidelines. 

The  guidelines  focus  on  security 


40  www.csoonline.com  Security  Handbook  2004 


PHOTO  BY  AP/WORLD  WIDE  PHOTOS 


Money  Well  Spent  (and  Spent 
and  Spent...) 


BUDGETING  Stop  viewing 
security  as  a  cost  center.  Turn  it 
into  a  business  driver. 

Nearly  everything  you  do  at 
the  executive  level  is  measured 
in  terms  of  cost  and  benefit.  You 
use  raw  data  such  as  financial 
statements,  actuarial  tables  and 
decades’  worth  of  academically 
rigorous  research  to  ensure  that 
for  the  shekels  you  shell  out, 
you’re  getting  something  in 
return. 

Security,  though,  is  different. 
Or  it  was  different.  Your  CSO  gets 
the  message  loud  and  clear  that 
he  should  spend  the  least  amount 
of  money  possible  to  protect  the 
enterprise.  Security  has  long  been 
considered  a  function  that  re¬ 
quires  spending— with  little  or  no 
measurable  benefit  on  the  invest¬ 
ment.  That’s  a  discomforting 
thought  when  you’re  used  to 
applying  everyday  business  met¬ 
rics  to  expenditures. 


Security  is  a  classic  cost  cen¬ 
ter.  A  comprehensive  security 
program— including  physical  and 
IT  security,  fraud  prevention, 
workplace  safety  and  intellectual 
property  protection— is  no  longer 
optional,  according  to  Tina  La- 
Croix,  vice  president  and  CISO  of 
Aon.  What’s  more,  she  says,  “It’s  a 
forever  commitment,  not  a  one¬ 
time  expense.” 

Sounds  like  bad  news.  But  it 
isn’t.  As  security  and  the  CSO  role 
rise  in  prominence,  executives  will 
bring  their  CSOs  and  CISOs— and 
their  security  requests— into  the 
world  of  business,  where  invest¬ 
ments  are  rigorously  measured  as 
something  that  must  be  proven 
beneficial. 

Traditional  theories  and  mod¬ 
els  of  risk  management  must  be 
inculcated  into  the  security  world, 
known  for  its  traditionally  dog¬ 
matic  view.  “If  you  don’t  manage 
risk,  you’re  going  to  lose  money,” 


says  security  con¬ 
sultant  Steve  Katz, 
a  former  CISO  for 
Merrill  Lynch,  Cit¬ 
igroup  and  J.P.  Morgan.  “Compa¬ 
nies  have  been  great  about  looking 
at  credit  risk  or  the  risks  of  a 
particular  customer  or  region. 
Companies  and  regulators  are 
simultaneously  beginning  to  realize 
the  importance  of  operational  risk 
and  information  security  as  a  com¬ 
ponent  of  it.” 

In  the  coming  years,  the  secu¬ 
rity  community  will  be  working 
with  auditors,  lawyers,  econo¬ 
mists,  accountants,  insurance 
companies  and  a  host  of  other 
experts  to  find  ways  to  put  struc¬ 
ture  around  the  money  spent  on 
security.  The  ability  to  join  in  this 
dialogue  is  vital  to  CSOs. 

The  most  important  thing  you, 
as  a  company  executive,  can  do  is 
to  recognize  security  as  an  inte¬ 
gral  part  of  your  organization  and 


Tina  LaCroix, 
CISO  of  Aon 


embrace  the  CSO 
as  part  of  the  ex¬ 
ecutive  team,  all 
the  while  insisting 
that  the  CSO  learn  and  practice 
risk,  cost-benefit  analysis  and  the 
like.  Encourage  him  to  take  busi¬ 
ness  courses  or  perhaps  pursue 
an  MBA.  While  your  employees 
will  respect  your  CSO’s  authority, 
your  outward  support  of  his  ini¬ 
tiatives  and  a  commitment  to  his 
professional  development  will  go 
a  long  way  toward  making  secu¬ 
rity  awareness  part  of  the  corpo¬ 
rate  culture. 

You  and  your  CSO  have  the 
same  goal:  Be  smart  about  risk 
without  going  overboard  on  cost 
or  governance.  CSOs  want  to 
make  other  executives’ jobs  easier, 
so  do  the  same  for  them.  And  give 
them  the  tools  they  need  to  make 
wise  decisions. 

Your  business’s  success  de¬ 
pends  on  it.  -Simone  Kaplan 


compliance  of  facilities,  access, 
procedures,  personnel,  documenta¬ 
tion  and  training. 

“Anyone  at  a  terminal  of  a  trucking 
company  could  infiltrate  the  cargo 
supply  chain,  especially  overseas 
where  background  checks  aren’t 
allowed,”  says  Ken  Wheatley,  vice 
president  of  corporate  security  for 
Sony.  Wheatley  is  also  a  member  of  an 
advisory  council  for  the  C-TPAT 
initiative  that  is  working  with  Customs 
to  devise  appropriate  security 
guidelines  for  manufacturers.  “The 
obvious  difficulty,”  he  says,  “lies  in 
managing  a  coordinated  effort 
between  various  government  entities. 
If  you  have  the  Drug  Enforcement 
Agency,  Food  and  Drug  Administra¬ 
tion,  and  Customs  independently 


coming  up  with  regulations  without 
communicating  with  each  other,  the 
end  users  will  get  caught  in  a  vice  with 
inconsistent  standards.” 

Another  initiative,  called  the 
Customs’  Container  Security 
Initiative,  or  CSI,  was  launched  in 
January  2002,  to  ensure  the  security 
of  those  containers  in  transit  by  using 
technology  to  prescreen  and  secure 
containers.  Of  the  top  20  ports 
worldwide,  18  have  already  joined  CSI. 
According  to  Wheatley,  becoming  a 
member  of  the  initiative  means  you 
are  “a  trusted  importer.”  To  attain 
that  status,  you  must  provide 
Customs  with  details  of  what  you’re 
shipping  and  documentation  that 
demonstrates  that  you  are  shipping  it 
safely.  -Kathleen  Carr 


SAFETY  IN  NUMBERS 


77 


% 


Average  recommended  increase 
in  information  security  budgets 
in  2003 


36 


©I  Percentage  of  companies 
that  will  actually  get 


an  increase 


■ 

' vi 

i 


— — 

I 

;  t',\\ 

' 


’  3 


29 


Average  expected  budget 
increase  of  that  36% 
in  2003 


SOURCE:  CIO  MAGAZINE  SURVEY  OF  276  EXECUTIVES.  CIO  IS  A  SISTER 
PUBLICATION  TO  CSO. 


PHOTO  BY  JEFF  SCI0RTIN0 


Security  Handbook  2004  www.csoonline.com  41 


&  O  O  tt 


Road  Rules 


TRAVEL  SAFETY  The  world  has  always 
been  a  dangerous  place,  but  awareness  of  its 
perils  has  grown  considerably  in  the  wake  of 
9/11.  Companies  and  their  security  officers 
have  an  established  legal  responsibility  (a.k.a. 
“duty  to  care”)  for  the  safety  of  employees  who 
travel  abroad  or  are  assigned  to  expatriate 
postings. 

As  a  result,  corporate  lawyers  lose  sleep. 
Each  unprotected  employee  presents  a  signif¬ 
icant  liability  to  which  boards  of  directors  and 
CEOs  are,  increasingly,  attuned.  When  ques¬ 
tions  of  employee  safety  arise,  it’s  usually  your 
CSO  who  ends  up  in  the  hot  seat.  And  no  CSO 
wants  to  be  caught  unable  to  answer  the  ques¬ 
tion,  Are  our  people  safe  and  accounted  for? 

“Expats  and  travelers  expect  more  from  the 
company  in  terms  of  security  intelligence,” 
says  Mark  Cheviron,  corporate  vice  president 
and  director  of  corporate  security  and  services 
for  Archer  Daniels  Midland  (ADM).  “And  so 
do  their  families.”  Cheviron  knows  whereof  he 
speaks— ADM  has  employees  in  more  than 
70  countries. 

To  feed  their  appetite  for  intelligence  about 
fast-changing  conditions  in  foreign  locales, 
more  and  more  companies  are  turning  to 
third-party’  providers  for  expert  help.  The  var¬ 


ious  providers  offer  a  range  of  services  con¬ 
sisting  of  regular  bulletins,  up-to-the-minute 
information  and  insight,  access  to  emergency 
hotlines  and,  in  rare  instances,  even  rescue 
services  aimed  at  extracting  travelers  in  dis¬ 
tress.  Among  the  players  in  the  field  of  so- 
called  travel  risk  management  are  iJet  (an 
analyst  service  allied  with  security  behemoth 
Kroll),  Pinkerton  and  U.K.-based  Control 
Risks  Group. 

Your  CSO  will  want  to  choose  a  provider 
based  on  the  freshness  of  its  information  (how 
recent  it  is  and  how  frequently  it’s  updated) 
and  the  depth  of  its  reporting  assets  (how 
many  people  it  has  on  the  ground  in  how 
many  foreign  venues).  Cheviron  cautions 
about  data  overload.  “You  have  to  be  able  to 
cull  out  what’s  important,”  he  says.  To  get  a 
balanced  view,  he  recommends  asking  for  a 
list  of  client  references  and  calling  them.  He 
also  trusts  peer  evaluations  from  fellow  mem¬ 
bers  of  organizations  like  the  International 
Security  Management  Association. 

In  other  words,  if  your  company  has  a  sig¬ 
nificant  number  of  people  traveling  abroad, 
make  sure  your  CSO  has  all  the  information 
he  needs  to  protect  employees  from  things 
that  go  bump  on  the  road.  -Daintry  Duffy 


The  Crime  That 
Keeps  on  Taking 

INTELLECTUAL  PROPERTY  Your 

stuff  gets  taken  without  necessarily  disappearing 
from  the  premises.  The  only  way  you  figure  out  the 
crime  has  even  occurred  is  that  your  competitive 
edge  somehow  vanishes  into  your  arch  rival’s  new 
product  launch.  The  stolen  advantage  becomes  a 
deficit  that  can  last  for  a  very  long  time. 

It’s  the  theft  of  intellectual  property.  “I  call  it 
the  death  of  a  thousand  cuts,"  says  William  Boni, 
vice  president  and  CISO  of  Motorola.  “Because 
most  organizations  don't  have  a  means  for  track¬ 
ing  the  loss  of  proprietary  information,  they  go  on 
constantly  hemorrhaging,  losing  market  share. 
Gradually  it  takes  the  vitality  out  of  the  organiza¬ 
tion  because  it’s  hard  to  invent  things  faster  than 
people  are  stealing  it.” 

Dark  forces  are  arrayed  not  just  against  the 
ones  and  zeroes  of  vital  data  assets,  but  against 
indiscreet  conversations,  improperly  discarded 
documents,  immodest  descriptions  of  research 
breakthroughs  offered  up  during  presentations  at 
conferences,  and  hiring  processes  rich  with  dis¬ 
coverable  insight  into  areas  of  business  growth. 
Protective  strategies— which  often  fall  to  security 
executives  to  develop— depend  on  three  things: 
identifying  the  assets  most  vital  to  the  business: 
spreading  awareness  throughout  the  company 
of  their  importance:  and  pursuing  ways  to  limit 
vulnerability  to  determined  thieves. 

Training  rooted  in  enlightened  self-interest 
plays  a  role,  according  to  John  Pontrelli,  director 
of  security  at  W.L.  Gore  &  Associates.  Pontrelli  lets 
employees  know  how  losing  intellectual  property 
hurts  the  company.  “We  rely  on  each  other  to  pro¬ 
tect  our  trade  secrets.  Maintaining  the  integrity  of 
those  secrets  is  the  reason  we  are  able  to  hand  out 
bonus  checks  at  the  end  of  the  year.  So  it  affects 
everyone  if  something  happens.” 

In  2000,  W.L.  Gore  created  an  intellectual 
property  committee  aimed  at  ensuring  that  com¬ 
munication  with  the  outside  world  was  not  too 
revealing.  Says  Pontrelli,  “The  litmus  test  for  all 
of  us  is  to  ask:  Would  I  know  this  information  if  I 
didn't  work  here?  And  would  my  biggest  competi¬ 
tor  want  this  information?" 

The  urgency  of  the  protection  mission  is  high, 
says  James  Chandler,  president  of  the  National 
Intellectual  Property  Law  Institute.  “If  a  company 
loses  its  assets,  it  could  die.  Intellectual  property 
is  what  keeps  a  company  viable."  -Sarah  D.  Scalet 


42  www.csoonline.com  Security  Handbook  2004 


PHOTO  BY  JEFF  SCIORTINO 


Exit  Strategies:  A  True  Story 


SAFE  TERMINATION  We 

never  had  any  proof  that  Charlie 
was  engaged  in  criminal  activity, 
but  nobody  really  wanted  to 
know.  It  was  bad  enough  when 
we  discovered  he  had  lied  about 
his  job  history  and  his  home 
address.  Why  nobody  had 
checked  him  out— well,  mistakes 
had  been  made.  But  as  a  highly 
paid  consultant,  I  was  called  in 
to  do  the  cleanup. 

Charlie  (not  his  real  name) 
was  more  than  simply  a  highly 
paid  systems  operator.  He  had 
been  hired  as  a  “security  archi¬ 
tect"— the  one  person  who  knew 
the  ins  and  outs  of  the  firewalls, 
intrusion  detection  systems, 
backup  auditing  devices  for  the 
regulators,  and  even  the  desktop 
antivirus  system.  But  that,  it 
turned  out,  was  the  problem: 
Nobody  else  on  staff  really  knew 
what  Charlie  was  doing. 

Charlie  drifted  in  to  the  office 
at  3  in  the  afternoon;  he  often 
stayed  until  after  midnight.  He 
occasionally  picked  fights  with 
the  cleaning  staff;  he  went  ballis¬ 
tic  if  anybody  touched  the  papers 
on  his  desk.  Some  rationalized 
that  he  was  just  hypervigilant 
about  his  privacy,  which  was  a 
good  feature  to  have  in  a  security 
director.  But  one  day  he  threat¬ 
ened  a  coworker— “Be  careful, 
or  you  might  discover  that  all  of 
your  files  have  been  corrupted"— 
and  at  that  point  we  knew  we  had 
misjudged  the  situation.  We  had 
a  problem  on  our  hands. 

The  address  that  Charlie  had 
given  on  his  employment  applica¬ 
tion— the  address  where  we  sent 
his  paychecks— turned  out  to  be 
a  mailbox  at  Mail  Boxes  Etc.  We 
went  back  and  checked  his  refer¬ 
ences— finally— and  only  one 
could  verify  his  former  employ¬ 
ment  but  said  they  couldn't 
remember  him  personally.  The 


other  two  companies  were  no 
longer  in  business. 

A  standard  way  to  fire  some¬ 
body  is  to  have  security  meet  him 
at  the  front  door  and  escort  him 
to  his  manager’s  office  while  the 
security  team  goes  to  work.  Over 
the  next  10  minutes,  the  worker’s 
passwords  are  reset,  his  account 
locked  and  his  card  pass  deacti¬ 
vated.  The  employee  would  then 


be  escorted  to  his  desk  to  watch 
while  his  belongings  are 
inspected  and  packed— after  all, 
you  don't  want  a  terminated 
employee  to  “accidentally”  pack 
up  something  that’s  company- 
confidential.  Finally,  he’d  be 
escorted  to  his  car.  With  two 
weeks’  notice,  he’d  draw  sever¬ 
ance  pay  from  his  home. 

Former  employees  can  do  a 
tremendous  amount  of  damage 
because  they  know  all  of  your 
secrets,  and  their  anger  at  being 
fired  might  cloud  their  thinking. 
When  one  Silicon  Valley  com¬ 
puter  manufacturer  laid  off  sev¬ 
eral  hundred  employees  a  few 
years  ago,  it  turned  one  of  its 
buildings  into  an  “employee  relo¬ 
cation  center.”  Employees  were 
given  desks,  chairs,  working  tele¬ 


phone  lines  and  access  to  a  com¬ 
puter  network  located  outside 
the  corporate  firewall.  The  setup 
helped  the  employees  make  the 
best  of  a  bad  situation;  they 
could  job  hunt  while  appearing  to 
still  be  employed,  yet  they  posed 
no  danger  to  the  company’s 
ongoing  operations. 

But  Charlie’s  case  was  a  differ¬ 
ent  matter  entirely.  Management 


saw  him  as  a  serious  threat— an 
unstable  insider  who  knew  the 
entire  security  plan,  and  who 
could  easily  explode  if  fired.  Were 
there  security  problems  he  knew 
about  and  hadn’t  fixed?  Worse, 
had  he  planted  back  doors  for  the 
purpose  of  exacting  revenge? 

We  hired  a  group  of  consult¬ 
ants  to  audit  the  network,  make 
sure  that  every  computer  was 
upgraded  and  properly  patched, 
and  then  oversee  the  process  of 
changing  every  employee's  pass¬ 
word.  Then  we  told  Charlie  we 
wanted  him  to  meet  with  the  CIO 
of  a  company  in  Japan  that  we 
were  thinking  of  acquiring  and 
claimed  we  wanted  Charlie's 
opinion  of  its  network. 

The  minute  Charlie’s  plane 
took  off,  the  consultants  swung 


into  action.  His  account  was 
locked,  systems  were  upgraded, 
operating  systems  were  rein¬ 
stalled  and  firewall  rules  were 
revised  to  the  highest  level  of 
security.  Two  days  later  Charlie 
called  from  Japan  in  a  panic:  He 
couldn’t  log  in!  We  told  him  we 
were  having  problems  and  had 
brought  in  an  outside  consultant. 
He  flipped. 

That  night  we  saw  repeated 
log-in  attempts  from  Japan  using 
Charlie’s  account  and  others. 
None  of  them  were  successful. 
Then  we  saw  some  hack 
attempts.  Fortunately,  our  exter¬ 
nal  systems  had  been  patched. 
Meanwhile,  the  consultants  raced 
to  patch  the  rest  of  the  internal 
systems.  Our  friend  in  Japan 
called  Charlie  at  his  hotel  to  pre¬ 
tend  he  was  sick— could  the 
meeting  be  postponed  for  a  few 
days?  Charlie  had  no  choice  but 
to  comply.  That  weekend,  our 
consultants  worked  12-hour  days. 
By  Monday,  they  deemed  our 
systems  “hack  proof.” 

We  called  Charlie  and  told 
him  the  Japan  deal  was  can¬ 
celed,  that  he  should  come  back 
home.  (It  was  tempting  to  leave 
him  in  Japan,  but  we  resisted.) 
We  had  a  limousine  meet  him 
stateside  and  bring  him  to  our 
headquarters.  An  off-duty  police 
officer  who  occasionally  worked 
for  us  escorted  him  to  the  HR 
office,  where  we  formally  termi¬ 
nated  him. 

Although  the  whole  process 
cost  us  dearly  in  the  checkbook, 
we  ended  up  with  a  network  that 
was  considerably  more  secure 
than  the  one  we  started  with. 
Ultimately,  however,  we  didn't 
learn  our  lesson.  The  following 
month,  our  CIO  hired  a  new 
security  architect  and  proceeded 
to  hand  her  the  only  keys  to  the 
kingdom.  -Simson  Garfinkel 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


Security  Handbook  2004  www.csoonline.com  43 


WHEN  PROFITS  go  up,  the  CEO  gets  a  good 
review.  When  revenue  goes  up,  the  CFO  gets  a 
good  review.  When  operating  expenses  go 
down,  the  COO  gets  a  good  review. 

But  when  nothing  happens,  the  CSO  has 
ostensibly  done  his  job,  and  yet  he  gets  pelted 
with  questions:  “Why  are  we  spending  all  this 
money  on  security  if  nothing  is  happening?”  or 
"How  do  we  know  the  money  we  spent  actu¬ 
ally  prevented  incidents?”  or  even  “Why  can’t 
we  cut  your  budget  since  it  seems  like  we’re  at 
a  low  risk  for  security  incidents  right  now?” 

The  CSO  role  is  unique  when  it  comes  time 
for  an  annual  review  or  a  bonus.  How  do  you 
measure  the  CSO’s  effectiveness  when  suc¬ 
cess  means  that  nothing  happens,  and  when 
nothing  happening  might  just  be  dumb  luck? 

It’s  harder  to  review  a  CSO’s  performance 
than,  say,  that  of  a  CFO,  but  it’s  not  impossi¬ 
ble.  It’s  a  matter  of  gathering  circumstantial 
evidence  by  asking  the  right  questions.  Here 
are  some  guidelines. 


Do  not  keep  score.  To  paraphrase  a  famous 
crass  saying,  incidents  happen.  If  your  com¬ 
pany  suffers  a  security  breach— internal  or 
external— that  is  not,  in  and  of  itself,  grounds 
for  docking  points  on  your  CSO’s  scorecard. 

In  certain  egregious  cases,  it  might  be  obvious 
that  the  CSO  didn’t  do  what  was  needed  to 
prevent  an  incident  (for  example,  he  had  no 
policy  in  place  to  restrict  building  access),  or 
a  pattern  of  incidents  could  show  failure  at  the 
CSO  level.  But  in  the  vast  majority  of  cases, 
security  incidents  cannot  be  predicted,  only 
prepared  for  and  effectively  mitigated. 

So  while  the  impulse  may  be  to  simply  tick 
off  all  the  bad  stuff  that  happened  in  your 
CSO's  tenure,  that's  not  the  way  to  judge 
his  overall  performance. 


How  vou 


In  the  event  of  an  incident,  note  how  the  CSO 
responds.  A  good  CSO  is  calm  under  pressure 
and  will  be  a  natural  leader  during  a  security 
crisis.  If  you  are  unfortunate  enough  to  suffer 
an  incident,  even  a  minor  one,  watch  the 
CSO  as  he  deals  with  the  breach.  Is  he  taking 
charge,  or  is  he  immediately  blaming  others 
for  not  following  policy?  Does  the  CSO  seem 
prepared  to  deal  with  the  incident,  or  is  the 
response  sporadic  and  reactionary?  If  it’s  an 
internal  incident,  is  the  CSO  prepared  to  take 
disciplinary  measures?  And  are  those  meas- 


ILLUSTRATION  BY  STEPHEN  WEBSTER 


csoonline.com  Security  Handbook  2004 


ures  standard  and  consistent,  or  do  they  seem 
arbitrary?  If  one  employee  gets  suspended  for 
e-mailing  sensitive  data,  every  employee  who 
does  that  must  be  suspended.  No  exceptions! 
Inconsistent  enforcement  of  policy  will  doom 
security. 

Does  your  CSO  remain  in  contact  with  the 
board  during  an  incident,  and  is  that  commu¬ 
nication  clear  and  concise,  or  is  he  fudging 
the  story  and  making  excuses?  You  can  learn 
so  much  about  the  CSO  in  crises. 

Of  course  you'd  rather  not  have  to  learn 
that  way,  but,  like  we  said,  incidents  happen. 

Look  for  basic  business  prowess.  The  CSO 

who  complains  that  it’s  impossible  to  show 
how  good  a  job  he’s  doing  is  not  doing  a  good 
job.  True,  ROI  metrics  are  hard  to  come  by 
with  security,  but  they  do  exist.  And  in  lieu  of 
metrics,  the  CSO  can  still  provide  qualitative 
examples  of  good  business  practices.  Is  the 
security  operation  efficient?  Are  policies,  tech¬ 
nologies  and  incident  response  plans  stan¬ 
dardized?  Are  they  reviewed  regularly?  Has 
the  CSO  adopted  risk  management  to  plan 
security  expenditures  strategically,  or  is  he 
just  trying  to  use  fear  and  anxiety  tactics  to 
get  funding  or  buy-in? 

The  good  CSO  will  also  communicate  like 
a  businessperson  and  align  security  with  the 
business,  not  the  other  way  around. 

Gauge  how  security  has  been  accepted  or 
rejected  by  employees.  Successful  education 
and  awareness  of  the  staff  is  another  sign  of 
an  effective  CSO.  A  company  where  employ¬ 
ees  know  not  to  paste  passwords  on  their 
computer  monitors  or  let  strangers  “tailgate" 
at  locked  doors  (that  is,  the  person  with  the 
swipe  card  holds  the  door  open  for  strangers) 
probably  has  an  excellent  CSO. 

A  "culture  of  security”  can  be  infectious  and 
quite  successful.  On  the  other  hand,  a  heavy- 
handed  CSO  who  constantly  imposes  rules  and 
disciplines  employees  can  create  a  sense  of 
lockdown,  which  is  counterproductive. 

Above  all,  look  for  overall  leadership.  Lead¬ 
ership,  of  course,  is  a  know-it-when-you-see-it 
phenomenon,  and  by  the  time  you’re  ready  to 
give  the  CSO  a  review  or  measure  his  perform¬ 
ance,  you  should  be  able  to  do  it  effectively, 
even  if  nothing  has  happened. 

-Scott  Berinato 

PHOTO  BY  BILL  MINARICH 


VIEW  FROM  THE  CSO  To  say  that  these 
are  challenging  times  is  the  height  of  under¬ 
statement.  We  are  reminded  every  day,  for 
example,  of  the  potential  for  unconventional 
(or  even  conventional)  warfare  between 
nations,  or  of  the  once  merely  envisioned  real¬ 
ity  of  facing  weapons  of  mass  destruction,  or 
of  the  catastrophic  consequences  of  electronic 
attacks  against  national  infrastructures.  CSOs 
work  every  day  in  an  environment  where 
crime  is  borderless,  where  it  can  occur  in 
microseconds  due  to  the  electronic  age,  and 
where  it  is  often  facilitated  by  lack  of  cooper¬ 
ation  between  governments  and  agencies. 
International  laws  and  treaties  to  address 
21st-century  crime  seem  to  have  been  crafted 
for  the  age  of  steamships.  Complexities  are 
further  magnified  by  the  fact  that  modern 
crime  may  be  spawned  in  one  country  and 
passed  through  several  jurisdictions  to  instan¬ 
taneously  attack  victims  in  multiple  other 


locations.  And  in  the  past  few  years,  more  and 
more  corporations  and  individuals  have  failed 
to  act  responsibly  as  stewards  of  shareholder 
and  citizen  trust. 

As  a  security  professional  with  four  decades 
of  experience,  I  am  proud  that  security  lead¬ 
ers  have  been  exemplars  in  the  demonstra¬ 
tion  of  trusted  relationships  and  have  acted  as 
custodians  of  the  corporate  and  institutional 
consciences.  Security  leadership  has  gained 
in  stature  through  performance  and  demon¬ 
strated  value.  The  profession  has  risen,  in  a 
sense,  from  the  boiler  room  to  the  boardroom. 

Although  the  path  to  becoming  a  CSO  has 
changed  over  the  years,  security  executives 
have  typically  moved  laterally  into  security 
leadership  from  a  successful  first  career  in 
government,  law  enforcement,  the  intelligence 
community  or  the  military.  By  definition,  such 
individuals  come  from  a  culture  of  discipline, 
mission  accomplishment,  knowledge  of  the 
Continued  on  next  page 


SECURITY  HANDBOOK 
2 
0 
O 
4 

global  arena,  and  an  ability  to  cope  under 
pressure  or  surprise.  These  achievers  often 
bring  a  driving  personality  or  a  sense  of  com¬ 
petitiveness  to  their  new  careers. 

Such  loyalty  to  the  job,  employer  and  func¬ 
tion  is  ideally  complemented  by  the  significant 
integrity,  honor  and  ethics  that  I’ve  seen 
demonstrated  over  and  over  again  by  those 
who  hold  the  extremely  responsible  and  sen¬ 
sitive  position  of  CSO.  There  is  a  sense  of  com¬ 
fort  with  one’s  self  and  with  one’s  position 
that  is  conveyed,  for  instance,  in  being  willing 
and  eager  to  develop  subordinates  to  excel  be¬ 
yond  themselves,  and  then  to  endorse  such 
individuals  to  seek  greater  responsibility 
either  with  the  current  corporation  or  else¬ 
where.  Other  O’s  are  recognizing  and  honor¬ 
ing  their  CSOs  as  true  business  partners  in 
advancing  the  values,  objectives  and  successes 
of  the  corporation. 

These  CSOs  also  recognize  that  they  can 
find  strength  rather  than  risk  by  seeking  out 
their  peers  in  the  business  community.  Hap¬ 
pily,  because  of  an  informal  code  of  trust 
between  CSOs  in  competitive  corporations, 
they  can  share  knowledge  without  compro¬ 
mising  proprietary  issues.  Security  executives 
have  developed  formal  and  informal  relation¬ 
ships  to  share  lessons  learned  and  form  a  com¬ 
mon  front  against  terrorism,  global  crises  and 
cybercrime,  and  so  on.  It  is  an  exhilarating 
experience  to  witness  a  candid  exchange  of 
tactics,  techniques,  methodologies,  policies 
and  standards  in  a  forum  bounded  by  trust, 
integrity,  mutual  respect  and  notable  absence 
of  any  hidden  agenda. 

I  am  personally  aware  of  instances  of  secu¬ 
rity  executives  returning  proprietary  infor¬ 
mation— inadvertently  or  deliberately 
acquired  by  their  company— to  a  competitor 
with  assurances  that  the  information  either 
was  not  compromised  or  would  not  be  used  in 
any  manner. 

Yes,  the  profession  of  the  CSO  continues  to 
be,  in  my  eyes  and  experience,  a  culture  where 
trust,  integrity,  honor  and  collegial  respect 
are  the  beacons  that  guide  daily  behavior.  I  am 
proud  to  be  part  of  this  valued  community. 

Ray  Humphrey  is  the  only  person  to  have  held  the  position  of 
president  at  both  ASIS  International  and  the  international 
Security  Management  Association,  which  he  also  cofounded. 


Pass  the  Aspirin 

RISK  MANAGEMENT  Worriers.  You  know 
the  type.  Anxiously  in  evidence  at  raucous  parties  in 
third-story  walk-ups,  where  they  spend  the  whole 
time  fretting  about  whether  the  floor  is  structurally 
sound  enough  to  withstand  all  the  dancing.  They 
hustle  around  the  place  emptying  ashtrays  and  mov¬ 
ing  drink  glasses  from  the  edges  of  tables.  And  later, 
you  find  out  it’s  not  even  their  apartment! 

That’s  your  CSO  when  it  comes  to  the  viral 
orgy  of  adoption  of  certain  hot  technologies.  Every 
fiber  of  his  being  is  crying  out,  “Wait!  Be  careful! 
These  things  aren’t  secure!”  But  the  din  of  the  party- 
goers  is  so  loud  that  no  one  can  hear  the  warnings, 
let  alone  heed  them. 

Even  in  this  down  economy,  leading-edge  or 
unstable  technology  is  flowing  into  businesses— 
often  unofficially— adding  significant  risk  to  the  com¬ 
puting  infrastructure.  Consider  Web  services,  IM, 
wireless  networks  and  PDAs.  In  each  case,  the  tech¬ 
nology  brings  with  it  vulnerabilities  that  can  expose 
your  network  to  unwanted  access  by  outsiders. 

These  new  technologies  illustrate  a  frightening 
truism:  the  idea  that  you  can  build  a  wall  and  control 
everything  on  the  inside  while  keeping  disruptive 
elements  on  the  outside  obsolete.  And  therein  lies 
the  rub.  For  a  CSO,  the  main  byproduct  of  all  this 


Employee  theft 

48% 


Shoplifting 

32% 


Average  Dollar  Loss  Per  Incident 
from  Employee  Theft  Versus 
Shoplifting 


Employee  theft 

$1,341.02 


Shoplifting 

$207.18 


Sources  of  Inventory  Shrinkage 

Vendor  fraud 

Administrative  5% 
and  paper  error 


SOURCE:  “2002  NATIONAL  RETAIL  SURVEY:  FINAL  REPORT"  FROM  THE 
UNIVERSITY  OF  FLORIDA'S  SECURITY  RESEARCH  PROJECT 


eager  proliferation  is  heart¬ 
burn.  Faced  with  inherently 
insecure  technologies  that  are 
also  enormously  popular  with 
users,  the  CSO  (who  may  hold 
an  absolutist’s  view  of 
keeping  the  enterprise  safe) 
Jean  end  up  in  a  conflict  with  his 
own  internal  customers. 

It’s  a  situation  that  cries  out 
for  middle-ground  solutions,  as 
well  as  for  a  transfer  of 
“informed  accountability”  to  the  busi¬ 
ness  executives  who  must  ultimately 
decide  what  level  of  risk  is  tolerable.  As  it  turns  out, 
good  security  is  not  about  secure  technologies;  it’s 
about  good  administration,  effective  policy  develop¬ 
ment,  smart  risk  management  and  adroit  negotiation. 

Along  the  way,  CSOs  are  often  tempted  to  simply 
pound  their  fists  and,  well,  ban  something.  Consider 
the  case  of  Paul  Clark,  EDS’s  London-based  chief 
security  and  privacy  executive,  who  sent  out  a  memo 
to  employees  serving  notice  that  the  company  would 
begin  blocking  access  to  all  instant  messaging  sites 
because  of  the  security  risks.  Within  a  week  Clark  had 
to  modify  the  ban.  Executives  using  IM  as  a  cheap 
way  to  communicate  with  customers  balked.  As  an 
alternative,  EDS  dedicated  a  secure  port  for  IM  serv¬ 
ices  and  limited  use  only  to  individuals  with  a  high 
need  for  IM  capabilities.  “It’s  not  a  negative  thing,” 
says  Clark  of  IM.  “It’s  what  the  information  world  is 
about.  But  it  has  to  come  with  controls.” 

Perhaps  the  best  long-term  hope  for  CSOs,  how¬ 
ever,  is  to  provide  clear-eyed  analyses  of  the  vulner¬ 
abilities  imposed  by  various  technologies  and 
recommendations  on  how  to  best  mitigate  the  risks. 
Then  it  falls  to  the  relevant  business  executive  to 
make  an  informed  call  about  whether  the  risks  out¬ 
weigh  the  accompanying  opportunities. 

That  obligates  CSOs  to  become  great  communi¬ 
cators,  able  to  interpret  and  discuss  the  interplay  of 
business  objectives,  the  range  of  potential  threats 
associated  with  them  and  the  costs  of  mitigating 
those  threats.  What  most  enterprises  will  also  need 
to  address  is  the  reactive  posture  CSOs  are  forced 
into  because  of  the  ungoverned  way  in  which  tech¬ 
nology  often  infiltrates  business  organizations— 
stealthily,  user  by  user,  and  without  the  approval  of 
anyone  who  has  a  broad  view  of  the  IT  architecture. 

Technology  throws  some  legendary  parties.  But 
you  don’t  want  to  have  to  call  the  police  to  break 
them  up.  -Daintry  Duffy  and  Lew  McCreary 


46  www.csoonline.com  Security  Handbook  2004 


PHOTO  BY  GETTY  IMAGES 


The  Public  Face  of  Security 

How  security  is  effecting  change  in  public  spaces  and  architecture 


The  Washington 
Monument 


JERSEY  BARRIERS  have  ringed  the 
Washington  Monument  since  1998,  and 
recently  a  temporary  security  screening 
post  has  been  added  to  the  site.  But  a  new 
plan  developed  by  the  Olin  Partnership 
design  firm  headquartered  in  Philadelphia 
would  do  away  with  the  temporary  barriers 
and  instead  replace  them  with  two  sunken 
stone  walkways  that  would  encircle  the 
monument.  The  three-foot  drop  in  each 
walkway  would  prevent  a  vehicle  from 
approaching  the  monument,  but  unlike 
jersey  barriers  and  crowd-control  fencing, 
the  walkways  would  be  invisible  from  a 
distance.  Visitors  to  the  monument  would 
enter  a  nearby  lodge  to  access  a  400-foot- 
long  tunnel  leading  to  the  monument. 

The  current  screening  center  would  be 
replaced  by  a  skylit  underground  visitor 
center  where  people  would  go  through  a 
security  check  before  accessing  the 
elevator  up  to  the  monument. 


wa 


SINCE  9/ll,  security  has  become  a  public 
phenomenon  and  part  of  the  popular  dis¬ 
course.  How  much  security  do  we  need? 

Do  we  need  more  surveillance?  Who  needs 
to  be  informed  when  the  threat  alert  ele¬ 
vates?  Is  it  really  useful  to  have  an  antiair¬ 
craft  gun  deployed  at  the  Washington 
Monument?  About  the  only  noncontentious 
statement  that  one  can  make  about  security 
as  a  fact  of  life  is  that,  in  general,  it’s  gotten 
to  be  a  public  impediment.  Ugly  and  in 
the  way. 

But  even  as  security  threats  continue  to 
multiply,  signs  of  a  more  touchable  terrain 
are  emerging  in,  of  all  places,  Washington, 
D.C.  A  new  initiative  spearheaded  by  the 
National  Capital  Planning  Commission  is 
putting  forth  the  almost  treasonous  idea 
that  security  and  historic  urban  design  can 
coexist— even  complement  one  another. 

The  commission’s  $878  million  Urban 
Design  and  Security  Plan  focuses  on  restor¬ 
ing  the  beauty,  grandeur  and  accessibility 
to  areas  such  as  the  White  House,  the 
Washington  Monument  (see  the  diagram  on 
this  page)  and  the  Federal  Triangle,  which 
all  have  been  blighted  by  jersey  barriers  and 
bollards  in  the  recent  “siege-chic”  approach 
to  security.  The  plan  solicits  proposals  for 
ways  to  build  security  into  the  landscape  in 
subtle  ways  that  still  provide  an  obvious 
deterrent  to  a  terrorist  but  become  virtually 
invisible  to  the  average  visitor. 

Similarly  at  the  corporate  level,  CSOs 
can  effect  the  same  kind  of  change  by  pro¬ 
viding  security  efficiently  while  not  intrud¬ 
ing  on  aesthetic  masterpieces,  such  as  The 
Genzyme  Center,  the  biotech  company’s 
new  headquarters  in  Cambridge,  Mass. 

There,  a  glassy  design  for  the  new  head¬ 
quarters  provides  Vice  President  and  CSO 
Dave  Kent  with  a  huge  security  challenge: 
Keep  intellectual  property  safe  in  a  building 
that  seems  custom  built  for  spying  in  from 
the  outside. 

Not  surprising,  meeting  such  a  challenge 
starts  with  policy.  Kent  and  his  team  are 
developing  a  clean-desk  policy  for  employ¬ 


ees  to  follow.  But  he’s  influenced  the  design 
of  the  building  in  other  ways  too.  He  has 
surveillance  equipment  built  into  support 
columns,  saving  money  on  the  cost  of  retro¬ 
fitting  cameras.  He  helped  design  a  lecture 
hall  with  good  acoustics  to  eliminate  the 
need  for  and  vulnerability  of  wireless 
microphones.  And  he  helped  design  a  state- 
of-the-art,  combined  physical  and 
IS  operations  center  in  the  building.  In 
fact,  Kent’s  security  plans  have  their  own 
layer  in  the  blueprints.  Security  doesn’t 
get  much  more  ingrained  into  the  culture 
than  that. 

In  both  Washington  and  Cambridge, 
the  lessons  are  as  clear  as  the  glass  skin  of 
The  Genzyme  Center:  Security  doesn’t 
have  to  be  ugly,  obtrusive  or  blatant  to  be 
effective;  and  including  a  security  expert 
early  in  the  design  (or  in  the  case  of  Wash¬ 
ington,  D.C.,  redesign)  process  not  only 
improves  security,  but  it  saves  money  too. 
And  without  an  antiaircraft  gun  or  jersey 
barrier  in  sight. 

-Scott  Berinato  and  Daintry  Duffy 


PHOTO  BY  WALTER  CALLAHAN:  ILLUSTRATION  COURTESY  OF  NCPC 


Security  Handbook  2004  www.csoonline.com  47 


£  O  O  to 


SECURITY  HANDBOOK 


TERMS  YOUR  CSO  IS  LIKELY  TO  USE... 

WHEN  YOU  FINALLY  INVITE  HIM  TO  THE  BOARD  MEETING 


Acceptable  use  policy  What  an 
employee  can  and  can't  do  when  using 
information  resources.  This  policy  may 
also  disclose  the  employer’s  monitoring 
procedures.  (If  yours  doesn’t,  it  should.) 

American  Society  for  Industrial 
Security  (ASIS)  International  A 

professional  membership  organization 
that  provides  security  practitioners  with 
programs  and  services  to  increase  their 
productivity  and  effectiveness.  ASIS  has 
more  than  33,000  members  worldwide 
whose  titles  range  from  CSO  and  vice 
president  of  security  to  security  manager 
and  director. 

Authentication  A  method  of  confirming 
a  user's  identity.  Techniques  typically  rely 
on  something  the  user  knows  (a  password 
or  PIN),  something  the  user  carries  (a 
smart  card  or  ATM  card),  or  something 
the  user  has  (in  the  form  of  a  fingerprint, 
iris  scan  or  set  of  facial  features).  The 
strongest  authentication  involves  a  combi¬ 
nation  of  two  or  three  of  those  elements. 

Bandwidth  The  amount  of  data  traffic  a 
network  can  handle  in  a  given  period  of 
time.  High  bandwidth  means  more  data 
per  second  can  be  transported. 

Biometrics  The  authentication  of  a  user 
based  on  physical  characteristics,  such  as  a 
fingerprint,  iris,  face,  voice  or  handwriting. 
The  cost  of  biometric  systems  has  been 
dropping  and  reliability  is  improving,  but 
many  analysts  say  the  technology  will  not 
be  ready  for  full-scale  use  before  2005. 

Black  intelligence  Dirty  work  at  the 
crossroads;  information  obtained  through 
espionage. 

Breach  The  unauthorized  penetration  of 
a  system.  A  violation  of  controls  of  a  partic¬ 
ular  information  system,  such  that  informa¬ 
tion  assets  or  system  components  are 
unduly  exposed. 

Buffer  Space  reserved  in  a  computer’s 
memory  in  which  an  application  stores 
data. 

Buffer  overflow  Ten  pounds  of  data  in 
a  five-pound  bag.  When  an  application 
sends  more  data  to  a  buffer  than  the  buffer 
is  designed  to  hold,  the  overflow  can  cause 
a  system  crash  or  create  a  vulnerability 
that  enables  unauthorized  system  access 
(see  Breach). 


CERT  Coordination  Center  The  com¬ 
puter  emergency  response  team  coordina¬ 
tion  center  is  a  federally  funded  research 
center  at  Carnegie  Mellon  University  that 
focuses  on  technical  issues  related  to  Inter¬ 
net  security.  CERT/CC  provides  training, 
incident  response  guidance,  R&D,  threat 
advisories  and  more.  Check  out 
www.cerf.org. 

Certified  information  security 
manager  (CISM)  A  relatively  new 
certification  recognizing  skills  in  informa¬ 
tion  risk  management  and  technical  secu¬ 
rity  issues;  geared  toward  managers  who 
oversee  enterprise  information  security  at 
the  conceptual  level. 

Certified  information  systems 
auditor  (CISA)  This  certification 
indicates  excellence  in  the  areas  of  IS 
auditing,  control  and  security.  More 
than  30,000  people  hold  this  widely 
recognized  certification. 

Certified  information  systems 
security  professional  (CISSP) 

The  800-pound  gorilla  of  IS  certification. 

To  get  it,  you  must  pass  an  exam  consisting 
of  250  multiple  choice  questions  that  cover 
such  topics  as  access-control  systems, 
cryptography  and  security  management 
practices. 

Chief  information  security  officer 
(CISO)  Presides  over  the  digital  side  of 
security.  A  relatively  new  position  in  most 
organizations,  the  CISO  is  responsible  for 
infosecurity  strategy  and  practice,  and 
often  reports  to  the  CIO  or  CTO. 

Closed-circuit  television  (CCTV) 

A  surveillance  system  in  which  signals  are 
distributed  via  cables  to  a  private  network 
of  monitors.  CCTV  is  most  often  used  for 
security  surveillance  in  small,  closed  areas 
such  as  buildings  or  parking  garages.  But 
there  are  some  extensive  governmental 
CCTV  networks-in  the  United  Kingdom, 
for  example-used  for  widely  monitoring 
public  spaces. 

Computer  Security  Institute  (CSI)  An 

educational  membership  organization  that 
offers  conferences,  training  and  networking 
opportunities  to  security  professionals. 

Cryptography  The  art  and  science  of 
rendering  plain  text  unintelligible  and  for 
converting  encrypted  messages  into 
intelligible  form. 


Cyberinsurance  Policies  covering  losses 
incurred  online  or  within  computers  and 
information  networks.  Coverage  targets 
areas  neglected  in  traditional  insurance. 

Data  encryption  standard  (DES) 

A  cryptographic  algorithm,  now  adopted  by 
the  National  Institute  of  Standards  and 
Technology,  used  to  encipher  and  decipher 
data  using  a  cryptographic  key. 

Denial-of-service  (DOS)  attacks 

A  concerted  attack  in  which  a  mail  server, 
Web  server  or  even  telephone  system  is 
deliberately  overwhelmed  with  phony 
requests  so  that  it  cannot  respond  properly 
to  valid  ones  (see  Distributed  denial-of- 
service  attacks ). 

Digital  certificate  The  electronic  equiv¬ 
alent  of  an  ID  card.  Works  in  conjunction 
with  public-key  encryption  to  ensure  the 
integrity  of  digital  signatures.  Certificates 
contain  a  user's  name  and  other  identifying 
data.  They  are  issued  by  a  certification 
authority,  which  vouches  for  their  validity. 

Digital  signature  An  electronic  signa¬ 
ture  considered  to  be  reliable  and  secure. 
Uses  public-key  infrastructure  (see  PKI )  to 
authenticate  the  sender  and  verify  the 
information  contained  in  transmitted 
documents. 

Distributed  denial-of-service  (DDOS) 
attacks  A  DOS  attack  (see  Denial-of- 
service  attacks)  in  which  attackers  load 
their  malignant  code  onto  many  servers. 
Distributed  attacks  cause  more  damage 
than  attacks  originating  from  a  single 
machine  because  defense  requires  blocking 
dozens,  even  hundreds,  of  IP  addresses. 

Encryption  The  scheme  by  which  com¬ 
munication  is  encoded.  The  best  encryption 
is  asymmetric,  based  on  two  keys-one  pri¬ 
vate  to  the  individual  and  the  other  public 
and  widely  shared.  (Morse  code  is  an  exam¬ 
ple  of  symmetric  encryption,  since  the 
same  scheme  is  used  both  to  code  and 
decode.)  In  asymmetric  encryption,  many 
users  can  have  the  same  public  key  without 
violating  the  security  of  the  private  key. 

False  negative  The  failure  of  a  system 
to  recognize  an  intrusive  action. 

False  positive  The  erroneous  classifica¬ 
tion  of  an  action  as  anomalous  (a  possible 
intrusion)  when  it  is,  in  fact,  legitimate 
and  benign. 


Firewall  Your  enterprise's  demilitarized 
zone,  consisting  of  hardware  and  software 
components;  it  enforces  a  boundary 
between  two  or  more  networks  by  limiting 
access  in  accordance  with  local  security 
policy.  A  typical  firewall  is  an  inexpensive 
PC  that  is  kept  clean  of  critical  data  with 
many  modems  and  public  network  ports  on 
it,  but  just  one  carefully  monitored 
connection  back  to  the  critical  data  it 
protects. 

Freedom  of  Information  Act  (FOIA) 

Legislation  passed  to  ensure  that  the  public 
gets  access  to  certain  government  informa¬ 
tion.  FOIA  creates  procedures  enabling  citi¬ 
zens  to  petition  federal  departments  or 
agencies  by  describing  specific  information 
they  believe  the  agency  has  on  file,  and  to 
request  photocopies  of  those  files. 

Gateway  A  device  that  can  isolate  and 
control  the  flow  of  information  between  a 
computer  system  and  authenticated  users 
on  networks  connected  to  the  system. 

Based  on  a  user’s  profile,  the  gateway 
regulates  his  access  to  various  network 
destinations. 

Gramm-Leach-Bliley  Act  Legislation 
that  restricts  the  ways  in  which  financial 
institutions  can  share  private  consumer 
data  with  nonaffiliated  third  parties. 

In  addition,  companies  with  significant 
involvement  in  finance  must  alert  cus¬ 
tomers  about  their  information-sharing 
policies  and  practices  and  obtain 
consent  to  share  their  data. 

Health  Insurance  Portability  and 
Accountability  Act  (HIPAA)  Regula¬ 
tions  designed  to  protect  patients’  privacy 
rights.  Provisions  require  doctors,  hospi¬ 
tals,  insurance  companies  and  pharmacies 
to  obtain  written  consent  from  patients 
before  disclosing  medical  information  to 
anyone  for  any  reason;  document  any 
access  to  that  data;  hire  a  full-time  privacy 
officer;  and  give  patients  access  to  their 
own  data,  including  the  ability  to  make 
corrections. 

Honeypots  Unpatched  default  systems 
whose  goal  is  to  attract  and  log  the  probes 
and  attacks  of  malicious  hackers  and  crack¬ 
ers.  While  they  do  not  protect  the  network, 
honeypots  can  glean  data  about  “black  hat" 
behavior  and  help  identify  potential  system 
weaknesses.  Honeypots  can  also  help  in 
postattack  forensic  analysis. 


48  www.csoonline.com  Security  Handbook  2004 


Information  security  The  protection  of 
information  against  unauthorized  disclo¬ 
sure,  transfer,  modification  or  destruction, 
whether  accidental  or  intentional;  a  system 
of  administrative  policies  and  procedures 
for  identifying,  controlling  and  protecting 
information. 

Information  security  director  The 

person  responsible  for  protecting  informa¬ 
tion,  often  accountable  directly  to  the  CIO. 
She  generally  has  global  responsibilities  for 
policy  development,  compliance,  investiga¬ 
tions  and  information  protection. 

Information  Sharing  and  Analysis 
Center  (ISAC)  A  number  of  industry- 
specific  groups  (in  financial  services, 
energy,  telecom  and  transportation,  among 
other  sectors)  formed  to  give  critical  infra¬ 
structure  companies  a  forum  for  informa¬ 
tion-sharing  about  security  threats  and 
vulnerabilities. 

InfraGard  Public  and  private  informa¬ 
tion-sharing  effort  led  by  the  FBI  with  local 
chapters  across  the  United  States. 

International  Information  Systems 
Security  Certification  Consortium 
(ISC2)  International,  nonprofit  organiza¬ 
tion  dedicated  to  developing  training, 
certification  exams  and  a  common  body 
of  information  security  knowledge. 

International  Security  Management 
Association  (ISMA)  Security  organiza¬ 
tion  that  represents  CSOs  from  more  than 
300  of  the  largest  global  corporations. 

Intrusion  detection  system  (IDS) 

Security  software  that  identifies  and 
records  all  attempts  to  compromise  a  net- 
work-for  example,  someone  scanning 
server  ports  or  making  repeated  attempts 
to  log  in  using  random  passwords. 

ISO  17799  A  set  of  information  security 
management  standards  created  by  the 
International  Organization  for  Standardiza¬ 
tion.  When  is  a  standard  not  a  standard? 
Because  ISO  17799  provisions  function 
more  like  voluntary  guidelines,  companies 
cannot  be  certified  against  its  provisions. 
Still,  they  are  the  most  widely  recognized 
international  security  standards. 

Layered  security  A  physical  security 
approach  that  requires  a  criminal  to 
penetrate  or  overcome  a  series  of  security 
layers  before  reaching  a  target.  The  layers 


The  highest-ranking  security  person  in  a  company. 
Responsibilities  can  cover  both  corporate  and 
information  security,  including  policy  and  execution 
across  such  varied  areas  as  risk  assessment, 
physical  security,  background  checks,  data  privacy 
and  intellectual  property  protection. 


might  be  perimeter  barriers;  building  or 
area  protection  with  locks,  CCTV  and 
guards;  and  point-and-trap  protection 
using  safes,  vaults  and  sensors. 

Malicious  code  Software  that  appears  to 
perform  a  useful  or  desirable  function  but 
actually  gains  unauthorized  access  to 
systems  resources,  or  tricks  a  user  into 
causing  other  malicious  code  to  execute. 

Overt  surveillance  Letting  the  bad  guys 
know  you’re  there.  This  tactic  is  usually 
applied  in  high  crime  areas  as  a  means  for 
discouraging  criminal  behavior.  (Among 
the  attributed  effects  of  widespread  CCTV 
use  in  the  United  Kingdom  is  citizens’ 
awareness  in  public  that  they  are  often 
being  watched.) 

Password  sniffing  Passive  wiretapping, 
usually  on  a  local  area  network,  to  gain 
knowledge  of  passwords. 

Patch  A  small  update  released  by  a  soft¬ 
ware  manufacturer  to  fix  known  vulnerabili¬ 
ties  (bugs)  in  existing  programs. 

Penetration  testing  Also  called  pen 
testing,  this  probes  the  perimeter  of  a  net¬ 
work  or  facility,  looking  for  its  weaknesses. 

Physical  security  The  part  of  security 
concerned  with  physical  measures 
designed  to  safeguard  personnel;  prevent 
unauthorized  access  to  equipment,  instal¬ 
lations,  material  and  documents;  and  safe¬ 
guard  them  against  espionage,  sabotage, 
damage  and  theft. 

Privacy  Something  people  used  to  care  a 
lot  about-which  is  a  good  thing,  since 
there’s  less  and  less  of  it  left.  Depending  on 
the  agency  and  the  day  of  the  week,  the 
federal  government  oscillates  crazily 
between,  on  the  one  hand,  ordering  you  to 
provide  privacy  for  customers  and  transac¬ 
tions  and,  on  the  other  hand,  petitioning 
Congress  and  the  courts  to  ratify  plans  to 
violate  it  evermore  aggressively.  Privacy 
has  clearly  seen  better  days. 

Public-key  infrastructure  (PKI) 

A  system  for  securely  exchanging  informa¬ 
tion.  It  includes  a  method  for  publishing  the 
public  keys  used  in  public-key  cryptogra¬ 
phy  and  for  keeping  track  of  keys  that  are 
no  longer  valid. 

Radio  Frequency  Identification 
(RFID)  A  wireless  system  for  transmitting 
basic  data,  which  consists  of  an  antenna 


and  receiver  on  one  end  and  a  transponder 
(or  tag)  on  the  other  end.  A  common 
example  of  an  RFID  can  be  found  in  fast 
lanes  at  toll  booths.  RFIDs  are  an  alterna¬ 
tive  to  bar  codes  or  other  identifiers  that 
require  line  of  site  or  some  kind  of  contact 
to  transmit  data.  They  are  also  gaining 
prominence  because  they  are  inexpensive 
to  produce  and  easy  to  adapt.  They  can  be 
put  into  tires  or  woven  into  clothes,  for 
example.  However,  many  privacy  advo¬ 
cates  are  concerned  about  widespread  use 
and  the  abuse  of  this  technology,  which 
could  easily  collect  data  without  one  know¬ 
ing  it's  happening. 

Return  on  security  investment 
(ROSI)  A  way  of  reassuring  the  enterprise 
that  its  security  investments  aren't  bottom¬ 
less  or  valueless.  The  point  of  maximum 
ROSI  is  where  the  total  cost  of  security  is 
lowest-factoring  in  both  the  cost  of  secu¬ 
rity  breaches  and  the  cost  of  the  controls 
designed  to  prevent  them. 

Risk  What  keeps  you  up  at  night.  A  level  of 
threat  rationally  understood  in  the  context 
of  your  vulnerability  to  it.  How  much  of  it 
your  enterprise  will  tolerate  depends  on 
what  it  has  to  gain  or  lose  as  a  result. 

Risk  assessment  The  process  by  which 
risks  are  identified  and  their  impact  deter¬ 
mined. 

SANS  Institute  A  research  organization 
that  offers  alerts,  training  and  certification; 
operates  lncidents.org  and  the  Internet 
Storm  Center. 

Secure  electronic  transaction  (SET) 

A  protocol  developed  to  provide  for  secure 
end-to-end  online  credit  card  transactions. 
All  parties  (customers,  merchants  and 
banks)  are  authenticated  using  digital 
signatures;  and  encryption  protects  the 
message  and  provides  integrity. 


Secure  sockets  layer  (SSL)  A  protocol 
that  enables  encrypted  communications 
to  pass  between  a  server  and  a  client  on 
TCP/IP  networks,  such  as  the  Internet.  An 
SSL-enabled  server  authenticates  itself 
to  an  SSL-enabled  client,  and  the  client 
authenticates  itself  to  the  server,  allowing 
both  machines  to  establish  an  encrypted 
connection. 

Security  policy  A  set  of  rules  and 
practices  that  guides  a  system  or  organiza¬ 
tion  in  providing  security  services. 

Sniffer  A  tool  that  monitors  network  traf¬ 
fic  as  it  is  received  in  a  network  interface. 

Tailgating  The  act  of  entering  a  building 
as  someone  else  with  access  credentials 
holds  the  door  open.  Tailgating  is  one  of 
the  most  common  techniques  criminals 
use  to  gain  illegal  entry  into  facilities. 

Virtual  private  network  (VPN)  An 

outsourced  remote  Internet  access  system. 
VPNs  allow  remote  users  to  connect 
securely  to  an  ISP  or  a  private  IP  network 
via  an  encrypted  tunnel  cordoned  off  from 
the  public  portions  of  the  Internet.  A  VPN  is 
generally  less  expensive  for  a  company 
than  building  and  operating  its  own  dedi¬ 
cated  network. 

Virus  A  hidden,  self-replicating  piece  of 
computer  software,  usually  malicious  logic 
that  propagates  by  infecting  (for  example, 
inserting  a  copy  of  itself  into)  another 
program.  A  virus  cannot  run  by  itself;  it 
requires  the  operation  of  its  host  program. 

Wireless  application  protocol  (WAP) 

A  specification  for  a  set  of  communications 
protocols  to  standardize  the  way  that 
wireless  devices,  such  as  cell  phones  and 
radio  transceivers,  can  be  used  for  Internet 
access-including  e-mail,  the  World  Wide 
Web,  newsgroups  and  instant  messaging. 

SOURCES:  CSO  REPORTING;  SANS  INSTITUTE;  ASIS 


Security  Handbook  2004  www.csoonline.com  49 


CSO  Contact  Index  of 

Information  Companies  and 

Advertisers 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and 
Services 

CSO  Sales  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Senior  Regional  Manager 
Kathy  Powers  •  973  244-4041 

Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Manager 
Jane  Evans  •  415  975-2680 
Regional  Manager 
Ai  Collins  •  415  975-2686 
Regional  Sales  Manager 
Chris  Bramel  •  949  475-5579 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 
Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 

Project  Managers  John  Danielowich, 

Amy  Greenleaf 

Graphic  Designer  Chris  Brown 


Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 
Lisa  Stevenson 

Executive  Programs 

EP  Senior  Vice  President 

Jennifer  Richards 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator 

Andrea  Slobogan 

Event  Development  Specialist 

Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  AmyTurell 
Senior  Customer  Service  Coordinator 
Sarah  Yee 

Marketing 

Executive  VP/Marketing 

Cathy  O’Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 
Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 

Kari  Curto 

Marketing  Comm.  Associate 
Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or  more), 
please  contact  Chad  Johnston  at 
RSiCopyright  (651  582-3800)  or  e-mail: 
csoreprints@rsicopyright.com. 

For  further  sales  information,  visit 
www.  csoonline.  com/reprints/index,  html. 


Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208, 

508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published 
monthly,  plus  special  issue,  by  CXO  Media 
Inc.,  492  Old  Connecticut  Path,  P.O.  Box 
9208,  Framingham,  MA  01701-9208.  Appli¬ 
cation  to  mail  at  Periodicals  postage  rate  is 
pending  at  Framingham,  MA  01701,  and  at 
additional  mailing  offices.  Canadian  Publi¬ 
cations  Mail  agreement  number  1902075. 
CANADIAN  POSTMASTER:  Please  return 
undeliverable  copy  to  P.O.  Box  1632,  Wind¬ 
sor,  ON  N9A7C9. 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved,  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission,  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701,  Telephone 
508  935-4785.  E-mail  aburrell@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol:  $. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 
To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

@stake  Inc . 28 

AON  Corp . 41 

Archer  Daniels  Midland  Co . 42 

Avon  Products  Inc . 31 

Boston  Scientific  Corp . 31 

Boyden  Global  Executive  Search  . 26 

Control  Risks  Group  . 42 

Covenant  Health  . 36 

Deloitte  Touche  Tohmatsu  . 30 

Ebay  Inc . 52 

Eckert  Seamans  Cherin  &  Mellott  LLC  . .  .15 

Electronic  Data  Systems  Corp . 46 

FMR  Corp . 31 

Foote  Partners  LLC  . 18 

Genzyme  Corp . 31,  39,  47 

Giga  Information  Group  Inc . 12 

I  Jet  Travel  Intelligence  Inc . 42 

Impact  Group,  The  . 30 

Intel  Corp . 36 

Kaiser  Permanente  . 30 

Kroll  Inc . 30,  42 

LenznerGroup  . 18 

Lifetime  Healthcare  Cos.,  The  . 26 

Merck  . 18 

MOL  America  Inc . 11 

Morgan  Howard  . 26 

Motorola  Inc . 42 

Sonnenschein  Nath  &  Rosenthal  LLP  . .  .29 

Sprint  Corp . 12 

TruSecure  Corp . 36 

USAA  . 35 

W.L.  Gore  &  Associates  Inc . 42 

Zurich  North  America  . 14 

Advertiser  Index 

Avaya  . C3,  7,  8 

Check  Point  Software  . C2,  2 

Computer  Associates  Inti.  Inc . 16 

CXO  Media  Inc . 51 

RSA  Security  Inc . C4,  23,  24 


50  www.csoonline.com  Security  Handbook  2004 


Is  the  Best 
Mew  Publication 


[But  you  already  knew  that,  didn’t  you?] 


CSO  magazine  is  the  proud  recipient  of  the  prestigious 
2003  Jesse  H.  Neal  Award  for  “Best  New  Publication.” 
CSO  was  also  honored  as  first  runner-up  to  sister 
publication  CIO  magazine  for  the  Grand  Neal  Award— 


the  top  editorial  honor  granted  to  one  publication  from 
more  than  1,000  entries  across  all  categories  and 
circulation  sizes.  This  marks  the  first  time  a  new 
publication  has  received  such  prestigious  recognition 


Often  hailed  for  its  preeminence  as  the 
“Pulitzer  Prize  of  the  business  press,"  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 

*  SOURCE:  CSO  MAGAZINE  "SECURITY  SENSOR  II," 

DECEMBER  2002 


so  early  on. 

The  Neal  Award  judges  aren't  the  only  ones  who  value 
CSO  magazine.  98%  of  CSO  readers  find  the  content 
of  CSO  relevant  to  their  jobs* 

NOW  THAT’S  WHAT  WE  CALL  AN  AWARD! 


The  Resource  for 
Security  Executives 


Security  Soundbites 


Howard  Schmidt  on 


Cooperation 

“It  used  to  be  a  lot  of  work  to  get  companies  to  see  that 
you  can't  divorce  the  public  critical  infrastructure  from 
private  industry.  One  of  the  positive  responses  to  9/11  is 
that  now  it's  hard  to  find  someone  who  can’t  see  the 
interdependence." 


The  Future 

"I  can't  imagine  a  company  in  five  years  without  a  CSO  or 
executive  in  charge  of  security.  Already  the  position  is 
having  a  tremendous  coming  out,  reporting  to  the  CEO  in 
some  cases.  Security  will  continue  to  be  elevated  to  a 
position  of  unique  authority." 


52  www.csoonline.com  Security  Handbook  2004 


Company:  eBay 

Current  position: 

Vice  president  and  CISO 

Previous  positions:  Former 
vice  chairman  of  the  Critical 
Infrastructure  Protection 
Board;  and  prior  to  that, 
CSO  of  Microsoft 

Other  endeavors: 

Coauthor  of  the  “Draft 
National  Strategy  to  Secure 
Cyberspace” 


ILLUSTRATION  BY  PATRICK  MEREWETHER 


Getting  It  Right 

“Security  can't  be  a  necessary  evil,  it  must  be  a  core  busi¬ 
ness  process.  You  can’t  sit  around  and  wait  for  some¬ 
thing  bad  to  happen.  To  make  this  mind-set  routine, 
security  must  start  high  up  in  a  company,  where  it  can 
reach  across  the  company’s  boundaries.  I’m  encouraged 
that  this  is,  indeed,  starting  to  happen.  Companies  are 
beginning  to  look  at  the  problem  the  right  way." 


The  Title  Fight 

“What  exactly  is  a  CSO  or  a  CISO?  We  see  salespeople 
who  call  themselves  CSOs  now.  I’m  somewhat  discour¬ 
aged  by  the  misuse  of  the  titles.  I  urge  companies  to 
understand  the  operational  and  strategic  responsibilities 
of  the  role  so  they  don't  end  up  with,  you  know,  a  sales¬ 
person  as  CSO." 


How  to  Start 

“First,  hire  someone  with  business  expertise.  Then  recog¬ 
nize  that  security  doesn’t  happen  two  weeks  before  a 
project  starts.  It  starts  the  moment  you  have  an  idea. 
Then,  it’s  training  and  awareness.  Constantly.” 


reach 


AVAVA 


a  higher  plane 
of  communication 


AS  YOUR  COMMUNICATION  NETWORK  gets  more 

complicated  — dare  we  say,  converged?  —  you 

need  to  toughen  your  defense.  Meet  the  complete 

security  solution  from  Avaya.  Our  mantra:  the 

pucks  stop  here.  Count  on  Avaya  Security 

Solutions  to  protect  your  entire  network,  no  matter 

where  you  are  on  the  path  to  IP  telephony.  We 

take  a  holistic  approach  to  security  with  the  multi¬ 
vendor  expertise  of  Avaya  Global  Services.  Our 

industry-certified  consultants  methodically  assess 

all  your  communication  devices,  policies  and 

vulnerabilities,  inside  and  out  (no  sneak  shots 

around  the  post).  In  the  state  of  Avaya,  our 

services,  systems,  applications  and  products 

assure  that  your  converged  network  is  secure  by 

design.  See  why  it’s  no  contest  when  Avaya 

security  is  minding  your  net  at  avaya.com/secure. 

Or  call  866 -GO  AVAYA  today. 

IP  Telephony 

Contact  Centers 

Unified  Communication 

Services 

With  Avaya 


MINDING  YOUR  NET, 

your  voice ,  data,  even  your  converged  network  can  be 

SAFE  AND  SECURE. 


©  2003,  Avaya  Inc.  All  Rights  Reserved. 

Avaya,  the  Avaya  Logo,  and  all  trademarks  identified  by  ®  or  ™  are  trademarks  of  Avaya  Inc.  and  may 
be  registered  in  certain  jurisdictions.  All  other  trademarks  are  the  property  of  their  respective  owner^ - HH 


Protecting  access  to  sensitive  data 
and  applications  with  a  simple  password? 

Now  you're  really  asking  for  it. 

Give  users  convenient  access  to  critical  data  any  time,  from  anywhere  and  your  entire  organization 
becomes  more  productive.  But  protecting  that  access  with  a  simple  password  could  create 
a  serious  liability.  RSA  SecurlD®  two-factor  authentication  offers  protection  from  hackers  by 
positively  identifying  users  before  they  can  access  sensitive  network  resources.  So  join 
87%  of  today's  Fortune  100,  88%  of  the  world's  largest  banks,  and  thousands  of  other  companies  by 
relying  on  RSA  Security®  identity  and  access  management  solutions.  We'll  help  you  operate  a  more 

profitable  business,  without  worrying  about  what  goes  on  behind  your  back. 


To  learn  more  about  our  identity  and  access  management  solutions,  view  the  "Road  to  Authentication" 
webcast  at  www.rsasecurity.com/webseminars/scorecard.  Produced  in  partnership  with  CSO  Magazine. 


SECURITY* 


AUTHENTICATION  WEB  ACCESS  MANACEMENT  DEVELOPER  SOLUTIONS 

▲  _ _ _ 


RSA,  RSA  SecurlD  and  RSA  Security  are  registered  trademarks  of  RSA  Security  Inc.,  in  the  United  States  and/or  other  countries.  ©2003  RSA  Security  Inc. 
All  rights  reserved.  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


